Today we’ve learned about an important security flaw in WhatsApp, it could leak your IP address. WhatsApp has had serious security flaws throughout history. One of the most important ones was related to missed calls. Just by receiving a missed call, anyone could steal chats and images from our mobile phone. Now, a new security flaw exposes the IP address of the user.
The bug has been discovered by a user named bhdresh, who has even created a proof of concept in which he demonstrates how the vulnerability works and how it can be exploited to obtain a person’s IP address just by making a call through the app.
https://www.youtube.com/watch?v=AR52CQC5kNc
Anyone can know your IP through WhatsApp with this security flaw
The security flaw works even in the latest version of the app. To do this, you first have to set up a script that can read the traffic when making a call or video call on the app. After that, the sender’s app tries to establish a connection to the IP address of the receiver. By filtering the IP address of the recipient’s Facebook and WhatsApp server, it is possible to reveal their IP address without the user knowing it.
With this method, users can learn public IP addresses to find out the approximate location of these users, and thus be able to track their movements by creating a location history.
To carry out the attack it is necessary, first of all, to have the smartphone and the computer connected to the same Wi-Fi network.
After that, all that remains is to call any WhatsApp user. The call has to be established between both parties, and then we can hang up since the script will already show the IP address of the recipient.
Facebook says it will not fix it
The user who has discovered this vulnerability reported the bug to Facebook on October 14, 2020, but the social network said that this was the expected operation and there was nothing to patch, so they were not going to give a reward. The only advice they gave was to use a VPN if they didn’t want their IP address to be leaked.
In March 2021, Signal introduced a mechanism to redirect calls through a server to hide the recipient’s real IP address. So bhdresh asked Facebook again if they could implement something like this, and they said no, that the current implementation works without problems. So our IP address can be leaked to anyone who calls us, so the only solution is to use a VPN.