search

pedroslopez / whatsapp-web.js

A WhatsApp client library for NodeJS that connects through the WhatsApp Web browser app
https://wwebjs.dev
Apache License 2.0
15.38k stars 3.67k forks source link

Security Issue - I spotted hidden numbers while monitoring client.getChats() in client.on('ready', async() => { #2240

Closed andresantos78 closed 1 year ago

andresantos78 commented 1 year ago

Is there an existing issue for this?

Describe the bug

Today i'm testing the new version of the lib whatsapp-web.js v1.21.0 and indentify a serius security problem (on my view). I'm work with sending of the message to groups, after update the lib from version 1.95.0 to v1.21.0. I tracked a possible malicious code that inject number in the groups that no whare on group or in contacts.

I didn't dig deep into the code, but it looks like a message interceptor.

See logs... PrivateChat { id: { server: 'c.us', user: '558781002856', _serialized: '558781002856@c.us' }, name: '+55 87 8100-2856', isGroup: false, isReadOnly: false, unreadCount: 0, timestamp: undefined, archived: undefined, pinned: false, isMuted: false, muteExpiration: 0, lastMessage: Message { _data: [Object], mediaKey: undefined, id: [Object], ack: undefined, hasMedia: false, body: '', type: 'e2e_notification', timestamp: 1685371392, from: '558781002856@c.us', to: 'XXXXXXXXXXXX@c.us', author: undefined, deviceType: 'android', isForwarded: false, forwardingScore: 0, isStatus: false, isStarred: false, broadcast: undefined, fromMe: false, hasQuotedMsg: false, hasReaction: false, duration: undefined, location: undefined, vCards: [], inviteV4: undefined, mentionedIds: [], orderId: undefined, token: undefined, isGif: false, isEphemeral: undefined, links: [] } }, PrivateChat { id: { server: 'c.us', user: '558791266778', _serialized: '558791266778@c.us' }, name: '+55 87 9126-6778', isGroup: false, isReadOnly: false, unreadCount: 0, timestamp: undefined, archived: undefined, pinned: false, isMuted: false, muteExpiration: 0, lastMessage: Message { _data: [Object], mediaKey: undefined, id: [Object], ack: undefined, hasMedia: false, body: '', type: 'e2e_notification', timestamp: 1685371392, from: '558791266778@c.us', to: 'XXXXXXXXXXXX@c.us', author: undefined, deviceType: 'android', isForwarded: false, forwardingScore: 0, isStatus: false, isStarred: false, broadcast: undefined, fromMe: false, hasQuotedMsg: false, hasReaction: false, duration: undefined, location: undefined, vCards: [], inviteV4: undefined, mentionedIds: [], orderId: undefined, token: undefined, isGif: false, isEphemeral: undefined, links: [] } }

Expected behavior

While list the groups of the my teste number. It should not list numbers that are not part of the group and are not contacts of user.

Steps to Reproduce the Bug or Issue

  1. Need to have groups linked with number.
  2. Update from v1.95.0 to v1.21.0
  3. Run the app.js
  4. Track event 'ready'
  5. Use await client.getChats() to get a history chat
  6. Use that method group.id.server.includes('g.us') to track groups
  7. Use that methdo group.id.server.includes('c.us') to check users
  8. See if your localize the numbers +55 87 8100-2856 or +55 87 9126-6778

Relevant Code

No response

Browser Type

Chromium

WhatsApp Account Type

Standard

Does your WhatsApp account have multidevice enabled?

No, I am not using Multi Device

Environment

Sandbox OS: Windows Phone OS: Android whatsapp-web.js: 1.21.0 WhatsApp Web: 2.2322.15 Node.js: v18.16.0

Additional context

No response

PurpShell commented 1 year ago

Hi! I'm sorry but I didn't understand, @tuyuribr speaks Portuguese, so hopefully he can properly interpret the issue, because some context is lost in translation

opssemnik commented 1 year ago

Hi! I'm sorry but I didn't understand, @tuyuribr speaks Portuguese, so hopefully he can properly interpret the issue, because some context is lost in translation

He basically said he found "hidden numbers" when doing client.getChats post v1.20, and was thinking it was a security issue on the lib (?)

But the numbers he provided also come from brazil

@andresantos78 client.getChats does not return just your contacts, it returns every single chat that is loaded by wweb. those include chats initiated by others, including companies, and chats that you havent acknowledged it, or chats that you just moved to spam (which are non visible in the ui)

Those 2 numbers are tied to 1x to a telemarketing company and the other for an internet company

PurpShell commented 1 year ago

That's what I thought at first. @andresantos78 you have nothing to worry about those are chats which you have interacted with in the past