You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's not needed to explain that now WhatsApp will leak your IP address on every received link
At least in the year 2021, that is not the case.
The link preview is generated on the sender's side only, it is relayed as an image blob to the recipient.
Because that image travels through WhatsApp servers, the recipient's IP address is not disclosed (to you, or the website's owner) in any way.
Upon receiving the preview-link-generated message, the recipient's WhatsApp does not make an external request to a third-party server. This was verified with iOS WhatsApp. The preview is displayed, but no extra request is made to the previewed website from the recipient (confirming that the preview is generated once, on the sender's side).
People picking up on one guy's incorrect findings or misinterpreting their use case (they may be correct at the year 2018, but doesn't seem that they were). And building docker images from that. Amazing :-)
Nothing personal, just hoping this to be useful to other people who easily want to try this and similar solutions only to discover there's no real way to exploit this in the way they expect.
Use cases of this vulnerability assumed by this repo or many others, which is not functional:
You can craft a URL page and send it to other WhatsApp users to reap their IP address.
You send api. link with text param set to urlencoded track URL page of your own to reap recipient's IP address.
They are not functional. This will not work. Period. The README statements are incorrect.
Real use case (which is hard of any use):
You can craft a URL page, and send/not-send/just-type in your WhatsApp and disclose your own IP address in your server logs. Profit is zero. To get your own IP address you can use other tools :p
You can force a remote WhatsApp user to be the one sending a link to disclose their IP address. Just exactly how? Social engineering them to do it, but how do you see it happening? The only way is for them to click the "api." link through some other means (from email). If you simply send the api. link to their WhatsApp - nothing happens in terms of exploit (the preview is for "WhatsApp sharing"). The users have to click the link. Just seeing that message won't disclose their IP. So in that way, this is again quite useless because you can simply share any link from your server (not api.whatsapp.com) and ensuring that it is clicked will get you their IP address.
README says:
At least in the year 2021, that is not the case.
The link preview is generated on the sender's side only, it is relayed as an image blob to the recipient.
Because that image travels through WhatsApp servers, the recipient's IP address is not disclosed (to you, or the website's owner) in any way.
Upon receiving the preview-link-generated message, the recipient's WhatsApp does not make an external request to a third-party server. This was verified with iOS WhatsApp. The preview is displayed, but no extra request is made to the previewed website from the recipient (confirming that the preview is generated once, on the sender's side).
People picking up on one guy's incorrect findings or misinterpreting their use case (they may be correct at the year 2018, but doesn't seem that they were). And building docker images from that. Amazing :-)
Nothing personal, just hoping this to be useful to other people who easily want to try this and similar solutions only to discover there's no real way to exploit this in the way they expect.
Use cases of this vulnerability assumed by this repo or many others, which is not functional:
textparam set to urlencoded track URL page of your own to reap recipient's IP address.They are not functional. This will not work. Period. The README statements are incorrect.
Real use case (which is hard of any use):
Thus, README saying:
Does not provide any real benefit over:
The text was updated successfully, but these errors were encountered: