In quest’articolo: Ecco un nuovo Hack che permette di tracciare tutti i movimenti di un utente WhatsApp…Vediamo insieme Come Funziona e Come s’installa!

 

Screen Shot 2015-02-09 at 13.45.19

[dropcap]W[/dropcap]hatsApp: Come ben sapete è possibile impostare vari parametri sul noto client di messaggistica instantanea. Infatti tramite il menù Privacy è possibile impostare ad esempio chi può vedere il vostro stato, conferma di lettura, immagine del profilo, ecc.

Compare sul web un nuovo “Hack” che consente addirittura di tracciare tutti i movimenti di un utente WhatsApp, ed in particolare ecco tutto ciò che lo script ci consente di effettuare:

 

  • Stato: Online/Offline (anche se si imposta la privacy su nessuno)
  • Immagine del profilo
  • impostazioni Privacy
  • Messaggio di stato



In particolare avremo una sorta di Timeline in cui vengono annotate tutte le “modifiche” che l’utente effettua sul proprio profilo.

 

screencapture-maikel-pro-whatsspy-compare

WhatSpy Public: Come si installa?

Premetto che non è un’operazione alla portata di tutti, sono richieste determinate competenze in ambito informatico. Tuttavia a seguire troverete la guida all’installazione di WhatSpy Public.

Ovviamente utilizzate la guida a scopo didattico per comprendere come la tecnologia può violare la privacy in modo molto semplice….

Guida all’installazione

Vi riporto la guida all’installazione dell’autore, non la traduco dato che in ogni modo per eseguire WhatSpy Public sono richieste particolari conoscenze informatiche….

Requisiti

  • Secondary Whatsapp account (phonenumber that doesn’t use Whatsapp)
  • Rooted Android phone OR Jailbroken iPhone OR PHP knowledge
  • Server/RPi that runs 24/7
  • Nginx or Apache with PHP (you can’t host on simple webhoster, you need bash)
  • Postgresql

WhatsSpy Public requires an secondary Whatsapp account. Once the tracker is started, you will not be able to recieve any messages over Whatsapp for this phonenumber. You can either try to register an non-Whatsapp used phonenumber (with for example this script) or just by an 5 euro SIM Card and use this phonenumber for the tracker.

For the tracker to work you need an secret which is retrieved from either your Phone or the register script mentioned above. In case of phone registration you need an jailbroken iPhone or rooted Android device in order to retrieve the secret.

  • Jailbroken iPhone users: You can retrieve using this script.
  • Rooted Android phones can use the following APK to retrieve the secret.

In order to retrieve the scecret you need to follow these steps:

  • Insert your (new) secondary SIM card in your phone and boot it up.
  • Re-install Whatsapp on your phone and activate it using the new phonenumber.
  • Use either the APK (Android) or the script (iPhone) to retrieve the WhatsApp secret. Write this secret down, which is required later.
  • Insert your normal SIM card and repeat step 2.

 

  1. Download the repository and unpack these files on your server at for example /whatsspy/ in your web directory (for nginx in debian this is /var/www/).
  2. Log in your PostgreSQL database and create an new DB and user for WhatsSpy Public (Insert password for DB user):
    -- Execute command by command!
    -- cmd 1
    CREATE ROLE whatsspy LOGIN
    PASSWORD ''
    NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
    -- cmd 2
    CREATE DATABASE whatsspy
    WITH OWNER = whatsspy
       ENCODING = 'UTF8'
       TABLESPACE = pg_default
       CONNECTION LIMIT = -1;
    -- cmd 3
    GRANT ALL ON DATABASE whatsspy TO whatsspy;
    
  3. Open api/whatsspy-db.sql and execute these SQL commands in your whatsspy database (with PgAdmin for example).
  4. rename config.example.php to config.php located at api/ and fill in the following details:
  • Postgresql host/port/dbname/user and password correctly in $dbAuth.
  • Your secondary Whatsapp account’s phone number in ‘number’ and the retrieved secret in ‘secret’ (look at requirements if not retrieved yet) in $whatsappAuth.
  • Set the absolute path correct in $whatsspyProfilePath. If you’ve installed WhatsSpy Public in for example /var/www/whatsspy the correct directory would be /var/www/whatsspy/images/profilepicture/ (including /)
  • You can set an Optional NotifyMyAndroid key for notifications about the tracker (startup,shutdown,errors etc) in $whatsspyNMAKey.

Check folder rights: the tracker needs read/write acces in both the folder $whatsspyProfilePath and api/!

Webserver

You need to restrict access to Whatsspy and the api of Whatsspy from unauthorised web access.

Nginx

For Nginx add the following:

location /whatsspy/ {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd; 
    }

    location /whatsspy/api/whatsapp/ {
        deny all;
        return 404;
    }

    location ~ /whatsspy/api/ {
        rewrite ^ /whatsspy/api/index.php last;
    }

assuming you installed whatsspy in a subdirectory called /whatsspy in the web directory /var/www/ (default setup)

You can create an .htpasswd here. Make sure you reload the configuration by executing service nginx reload.

Apache

create an .htaccess in the whatsspy folder and add the following:

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /var/.htpasswd
Require valid-user

Do not place the .htpasswd in the /var/www folder. You can create an .htpasswd here. The api/ folder is protected by default.

Importing users

If everything went well you can now access the WhatsSpy Public interface through your webserver. At this point you need to import users that you want to track:

  • Either add any contact manually by using “Add contact by phonenumber”.
  • Or use “import google Contacts” which is an script that retrieves all your Google Contacts and gives an SQL statement which insert all users into the database.

Once you have inserted these users they won’t show up automatically. They need to be verified by the tracker which is not running yet.

Starting the tracker

Once you have populated your database with some users, you can start the tracker.

  1. start a new screen (if you do not have screen: sudo apt-get install screen or similar for other distro’s)
  2. cd to the install of the Whatsspy (for example /var/www/whatsspy/) and execute `which php` api/tracker.php.
  3. If all runs well it starts spamming information about privacy options and polls.
  4. It keeps polling every 2 seconds and outputs any statusses on the screen.
  5. You can exit the screen by using Ctrl+a and after that Ctrl+d (detaching the screen) in your terminal/Putty.

IPTables rules

Whatsapp uses an HTTPS connection which is going outbound:

iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT