Logical Flaws In WhatsApp to takeover WhatsApp account

Logical Flaws In WhatsApp to takeover WhatsApp account

Hi Friend once again
Tayyab Qadir here

this Time I got 3 Logical Flaws To TakeOver Whatsapp Account so i am sharing My Finding With You Hope You guys Will like this more than facebook team
and one more thing give it a try to understand more Clearly hope not fix yet

so Here is the Report which i sent to the Facebook team regarding issue about WhatsApp

===================================================
Hi Sir

today i was testing WhatsApp secuirty So I observe three Vulnerabilities

1- Verification Code Time limit bypass
2- Code validation not expiring
3- Multiple wrong Code Attempt

1- Verification Code Time limit bypass :

when attacker Enter the phone number of victim so it send the verification code to the victim smartphone so attacker attempt the 1st wrong attempts and then 2nd wrong attempts and then so on so its give the error that
” the code Your Entered is incorrect. Please Try Again in 2 min ” or 5 min etc so for bypassing the time limit click on the wrong number above and then Enter the same number and then you will see there is no more time limit left now you can again entre the code
( Friends Try it Hope Its still valid 😉 )

Suggestion:
the time limit should be fixed on number after entering the same number the time should again start from the remaining for example if there was limit of 10 min i bypass the limit in 1 min so when i again enter the same it should start from left 9 min but here there is no more time limit so i think need fix here

2- Code validation not expiring :

So when the time limit bypass i observe that when i click on wrong number its ask me to enter new number and then again Enter the same number so its ask me to type code but after it. It send the same code. After doing above point 1 process 5+ time The code which i was receive same as previous code

Suggestion :

The code Should be different at every time when i click on wrong number and then retyped the same number and so on

3- Multiple wrong attempt:

I observe that when i bypass the time limit almost 15+ times i also attempt wrong code every time mean 15+ wrong attempts So when i entered the Correct code It accept the code after 15+ wrongs attempts

Conclusion :
so attacker can Brute force the account verification Code by bypassing the time limit and plus point is code is not changing after every attempt which i Explain in point 2

thanks
regards
Tayyab Qadir

====================================================================

So that’s How we can takeover the WhatsApp account

Hope You all like That i know you have a question now that i got any Bounty
unfortunately  No –> not accepted  :/

But I am Happy that i find this 🙂

Thanks For Reading My findings Give Me Feedback Below or on Facebook profile

 

Leave a Reply

Your email address will not be published. Required fields are marked *

five × five =