Closed andresantos78 closed 1 year ago
Hi! I'm sorry but I didn't understand, @tuyuribr speaks Portuguese, so hopefully he can properly interpret the issue, because some context is lost in translation
Hi! I'm sorry but I didn't understand, @tuyuribr speaks Portuguese, so hopefully he can properly interpret the issue, because some context is lost in translation
He basically said he found "hidden numbers" when doing client.getChats post v1.20, and was thinking it was a security issue on the lib (?)
But the numbers he provided also come from brazil
@andresantos78 client.getChats does not return just your contacts, it returns every single chat that is loaded by wweb. those include chats initiated by others, including companies, and chats that you havent acknowledged it, or chats that you just moved to spam (which are non visible in the ui)
Those 2 numbers are tied to 1x to a telemarketing company and the other for an internet company
That's what I thought at first. @andresantos78 you have nothing to worry about those are chats which you have interacted with in the past
Is there an existing issue for this?
Describe the bug
Today i'm testing the new version of the lib whatsapp-web.js v1.21.0 and indentify a serius security problem (on my view). I'm work with sending of the message to groups, after update the lib from version 1.95.0 to v1.21.0. I tracked a possible malicious code that inject number in the groups that no whare on group or in contacts.
I didn't dig deep into the code, but it looks like a message interceptor.
See logs...
PrivateChat { id: { server: 'c.us', user: '558781002856', _serialized: '558781002856@c.us' }, name: '+55 87 8100-2856', isGroup: false, isReadOnly: false, unreadCount: 0, timestamp: undefined, archived: undefined, pinned: false, isMuted: false, muteExpiration: 0, lastMessage: Message { _data: [Object], mediaKey: undefined, id: [Object], ack: undefined, hasMedia: false, body: '', type: 'e2e_notification', timestamp: 1685371392, from: '558781002856@c.us', to: 'XXXXXXXXXXXX@c.us', author: undefined, deviceType: 'android', isForwarded: false, forwardingScore: 0, isStatus: false, isStarred: false, broadcast: undefined, fromMe: false, hasQuotedMsg: false, hasReaction: false, duration: undefined, location: undefined, vCards: [], inviteV4: undefined, mentionedIds: [], orderId: undefined, token: undefined, isGif: false, isEphemeral: undefined, links: [] } }, PrivateChat { id: { server: 'c.us', user: '558791266778', _serialized: '558791266778@c.us' }, name: '+55 87 9126-6778', isGroup: false, isReadOnly: false, unreadCount: 0, timestamp: undefined, archived: undefined, pinned: false, isMuted: false, muteExpiration: 0, lastMessage: Message { _data: [Object], mediaKey: undefined, id: [Object], ack: undefined, hasMedia: false, body: '', type: 'e2e_notification', timestamp: 1685371392, from: '558791266778@c.us', to: 'XXXXXXXXXXXX@c.us', author: undefined, deviceType: 'android', isForwarded: false, forwardingScore: 0, isStatus: false, isStarred: false, broadcast: undefined, fromMe: false, hasQuotedMsg: false, hasReaction: false, duration: undefined, location: undefined, vCards: [], inviteV4: undefined, mentionedIds: [], orderId: undefined, token: undefined, isGif: false, isEphemeral: undefined, links: [] } }
Expected behavior
While list the groups of the my teste number. It should not list numbers that are not part of the group and are not contacts of user.
Steps to Reproduce the Bug or Issue
Relevant Code
No response
Browser Type
Chromium
WhatsApp Account Type
Standard
Does your WhatsApp account have multidevice enabled?
No, I am not using Multi Device
Environment
Sandbox OS: Windows Phone OS: Android whatsapp-web.js: 1.21.0 WhatsApp Web: 2.2322.15 Node.js: v18.16.0
Additional context
No response