WhatsApp is the most powerful messaging service in the world, but it’s not exactly the most secure. Due to the “closeness”, many people have no problem exchanging photos, files or recommendations on this social network. However, the most recent discovery may cause you to reconsider this, because in doing so, you are not only sharing information, as your IP will also be exposed.
This way you can disclose a user’s IP address in WhatsApp
According to Rahul Kankrale, a web security researcher, there is a way to disclose a user’s IP address on WhatsApp by simply sharing a link. Everything seems to indicate that the vulnerability is in the preview of the URLs that are shared by this means.
Kankrale explained on Twitter that a PHP script allows you to get the IP address by previewing any link, but that’s not all. You can also know the version of the application and save this data on a server.
At Medium, they shared step by step the process carried out by the researcher. The first thing it does is create a PHP file and a log file on a server. The following code must be added in the meta-description:
<meta property=”og:description” content=”<?php
echo $_SERVER[REMOTE_ADDR]; $line = date(’Y-m-d H:i:s’) . ” – $_SERVER[REMOTE_ADDR]”; echo $line;
file_put_contents(’visitors.log’, $line . PHP_EOL, FILE_APPEND);?>” />
Then proceed to save this PHP file.
Then open WhatsApp and type the link that leads to this PHP file.
When generating the preview, it captures the IP address and saves it in the server log file.
In the following image, you can see how this information is stored.
Rahul Kankrale also shared his finding and demonstration in a video on YouTube
This is naturally against our security, as it would provide our exact location. Until WhatsApp fixes this bug, we can protect ourselves from this vulnerability by using third-party services or VPNs to mask IP.