In quest’articolo: Ecco un nuovo Hack che permette di tracciare tutti i movimenti di un utente WhatsApp…Vediamo insieme Come Funziona e Come s’installa!
[dropcap]W[/dropcap]hatsApp: Come ben sapete è possibile impostare vari parametri sul noto client di messaggistica instantanea. Infatti tramite il menù Privacy è possibile impostare ad esempio chi può vedere il vostro stato, conferma di lettura, immagine del profilo, ecc.
Compare sul web un nuovo “Hack” che consente addirittura di tracciare tutti i movimenti di un utente WhatsApp, ed in particolare ecco tutto ciò che lo script ci consente di effettuare:
- Stato: Online/Offline (anche se si imposta la privacy su nessuno)
- Immagine del profilo
- impostazioni Privacy
- Messaggio di stato
In particolare avremo una sorta di Timeline in cui vengono annotate tutte le “modifiche” che l’utente effettua sul proprio profilo.
WhatSpy Public: Come si installa?
Premetto che non è un’operazione alla portata di tutti, sono richieste determinate competenze in ambito informatico. Tuttavia a seguire troverete la guida all’installazione di WhatSpy Public.
Ovviamente utilizzate la guida a scopo didattico per comprendere come la tecnologia può violare la privacy in modo molto semplice….
Guida all’installazione
Vi riporto la guida all’installazione dell’autore, non la traduco dato che in ogni modo per eseguire WhatSpy Public sono richieste particolari conoscenze informatiche….
Requisiti
- Secondary Whatsapp account (phonenumber that doesn’t use Whatsapp)
- Rooted Android phone OR Jailbroken iPhone OR PHP knowledge
- Server/RPi that runs 24/7
- Nginx or Apache with PHP (you can’t host on simple webhoster, you need bash)
- Postgresql
WhatsSpy Public requires an secondary Whatsapp account. Once the tracker is started, you will not be able to recieve any messages over Whatsapp for this phonenumber. You can either try to register an non-Whatsapp used phonenumber (with for example this script) or just by an 5 euro SIM Card and use this phonenumber for the tracker.
For the tracker to work you need an secret which is retrieved from either your Phone or the register script mentioned above. In case of phone registration you need an jailbroken iPhone or rooted Android device in order to retrieve the secret.
- Jailbroken iPhone users: You can retrieve using this script.
- Rooted Android phones can use the following APK to retrieve the secret.
In order to retrieve the scecret you need to follow these steps:
- Insert your (new) secondary SIM card in your phone and boot it up.
- Re-install Whatsapp on your phone and activate it using the new phonenumber.
- Use either the APK (Android) or the script (iPhone) to retrieve the WhatsApp secret. Write this secret down, which is required later.
- Insert your normal SIM card and repeat step 2.
- Download the repository and unpack these files on your server at for exampleÂ
/whatsspy/
 in your web directory (for nginx in debian this isÂ/var/www/
). - Log in your PostgreSQL database and create an new DB and user for WhatsSpy Public (Insert password for DB user):
-- Execute command by command! -- cmd 1 CREATE ROLE whatsspy LOGIN PASSWORD '' NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION; -- cmd 2 CREATE DATABASE whatsspy WITH OWNER = whatsspy ENCODING = 'UTF8' TABLESPACE = pg_default CONNECTION LIMIT = -1; -- cmd 3 GRANT ALL ON DATABASE whatsspy TO whatsspy;
- OpenÂ
api/whatsspy-db.sql
 and execute these SQL commands in your whatsspy database (with PgAdmin for example). - renameÂ
config.example.php
 toÂconfig.php
 located atÂapi/
 and fill in the following details:
- Postgresql host/port/dbname/user and password correctly inÂ
$dbAuth
. - Your secondary Whatsapp account’s phone number in ‘number’ and the retrieved secret in ‘secret’ (look at requirements if not retrieved yet) inÂ
$whatsappAuth
. - Set the absolute path correct inÂ
$whatsspyProfilePath
. If you’ve installed WhatsSpy Public in for exampleÂ/var/www/whatsspy
 the correct directory would beÂ/var/www/whatsspy/images/profilepicture/
 (includingÂ/
) - You can set an Optional NotifyMyAndroid key for notifications about the tracker (startup,shutdown,errors etc) inÂ
$whatsspyNMAKey
.
Check folder rights: the tracker needs read/write acces in both the folder $whatsspyProfilePath
 and api/
!
Webserver
You need to restrict access to Whatsspy and the api of Whatsspy from unauthorised web access.
Nginx
For Nginx add the following:
location /whatsspy/ {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location /whatsspy/api/whatsapp/ {
deny all;
return 404;
}
location ~ /whatsspy/api/ {
rewrite ^ /whatsspy/api/index.php last;
}
assuming you installed whatsspy in a subdirectory called /whatsspy
 in the web directory /var/www/
 (default setup)
You can create an .htpasswd here. Make sure you reload the configuration by executing service nginx reload
.
Apache
create an .htaccess
 in the whatsspy folder and add the following:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /var/.htpasswd
Require valid-user
Do not place the .htpasswd in the /var/www
 folder. You can create an .htpasswd here. The api/
 folder is protected by default.
Importing users
If everything went well you can now access the WhatsSpy Public interface through your webserver. At this point you need to import users that you want to track:
- Either add any contact manually by using “Add contact by phonenumber”.
- Or use “import google Contacts” which is an script that retrieves all your Google Contacts and gives an SQL statement which insert all users into the database.
Once you have inserted these users they won’t show up automatically. They need to be verified by the tracker which is not running yet.
Starting the tracker
Once you have populated your database with some users, you can start the tracker.
- start a newÂ
screen
 (if you do not have screen:Âsudo apt-get install screen
 or similar for other distro’s) - cd to the install of the Whatsspy (for exampleÂ
/var/www/whatsspy/
) and executeÂ`which php` api/tracker.php
. - If all runs well it starts spamming information about privacy options and polls.
- It keeps polling every 2 seconds and outputs any statusses on the screen.
- You can exit the screen by usingÂ
Ctrl+a
 and after thatÂCtrl+d
 (detaching the screen) in your terminal/Putty.
IPTables rules
Whatsapp uses an HTTPS connection which is going outbound:
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
Aspetta..Prima di lasciare la pagina leggi qui
YOURLIFEUPDATED È STATO SELEZIONATO DAL NUOVO SERVIZIO DI GOOGLE NEWS: se vuoi essere sempre aggiornato sulle nostre notizie SEGUICI QUI
YOURLIFEUPDATED HA UN CANALE TELEGRAM CHE RACCOGLIE TUTTE LE ULTIME NOTIZIE:Â se vuoi essere sempre aggiornato SEGUICI QUI
YOURLIFEUPDATED HA UN CANALE YOUTUBE CON OLTRE 2500 ISCRITTI, UNISCITI ANCHE TU:Â se vuoi essere sempre aggiornato SEGUICI QUI
HAI BISOGNO DI ASSISTENZA? Unisciti al nostro Gruppo di supporto - CLICCA QUI
NON HAI ANCORA AMAZON PRIME? Attivalo gratis ORA - CLICCA QUI
CERCHI LE MIGLIORI OFFERTE DI AMAZON? Scoprile QUI sempre aggiornate
In qualità di Affiliato Amazon io ricevo un guadagno dagli acquisti idonei