diff --git a/src/pentesting-web/registration-vulnerabilities.md b/src/pentesting-web/registration-vulnerabilities.md index 2e3c2368fff..d2dde1b1ee8 100644 --- a/src/pentesting-web/registration-vulnerabilities.md +++ b/src/pentesting-web/registration-vulnerabilities.md @@ -73,6 +73,43 @@ phone-number-injections.md captcha-bypass.md {{#endref}} +### Contact-discovery / identifier-enumeration oracles + +Phone-number–centric messengers expose a **presence oracle** whenever the client syncs contacts. Replaying WhatsApp’s discovery requests historically delivered **>100M lookups per hour**, enabling near-complete account enumerations. + +**Attack workflow** + +1. **Instrument an official client** to capture the address-book upload request (authenticated blob of normalized E.164 numbers). Replay it with attacker-generated numbers while reusing the same cookies/device token. +2. **Batch numbers per request**: WhatsApp accepts thousands of identifiers and returns registered/unregistered plus metadata (business, companion, etc.). Analyze responses offline to build target lists without messaging victims. +3. **Horizontally scale** enumeration with SIM banks, cloud devices, or residential proxies so per-account/IP/ASN throttling never triggers. + +**Dialing-plan modeling** + +Model each country’s dialing plan to skip invalid candidates. The NDSS dataset (`country-table.*`) lists country codes, adoption density, and platform split so you can prioritize high-hit ranges. Example seeding code: + +```python +import pandas as pd +from itertools import product + +df = pd.read_csv("country-table.csv") +row = df[df["Country"] == "India"].iloc[0] +prefix = "+91" # India mobile numbers are 10 digits +for suffix in product("0123456789", repeat=10): + candidate = prefix + "".join(suffix) + enqueue(candidate) +``` + +Prioritise prefixes that match real allocations (Mobile Country Code + National Destination Code) before querying the oracle to keep throughput useful. + +**Turning enumerations into targeted attacks** + +- Feed leaked phone numbers (e.g., Facebook’s 2021 breach) into the oracle to learn which identities are still active before phishing, SIM-swapping, or spamming. +- Slice censuses by country/OS/app type to find regions with weak SMS filtering or heavy WhatsApp Business adoption for localized social engineering. + +**Public-key reuse correlation** + +WhatsApp exposes each account’s X25519 identity key during session setup. Request identity material for every enumerated number and deduplicate the public keys to reveal account farms, cloned clients, or insecure firmware—shared keys deanonymize multi-SIM operations. + ## Weak Email/Phone Verification (OTP/Magic Link) Registration flows often verify ownership via a numeric OTP or a magic-link token. Typical flaws: @@ -109,6 +146,7 @@ def queueRequests(target, wordlists): body = '{"email":"victim@example.com","code":"%06d"}' % code engine.queue(target.req, body=body) + def handleResponse(req, interesting): if req.status != 401 and b'Invalid' not in req.response: table.add(req) @@ -329,5 +367,6 @@ Impact: Full Account Takeover (ATO) without any reset token, OTP, or email verif - [How I Found a Critical Password Reset Bug (Registration upsert ATO)](https://s41n1k.medium.com/how-i-found-a-critical-password-reset-bug-in-the-bb-program-and-got-4-000-a22fffe285e1) - [Microsoft MSRC – Pre‑hijacking attacks on web user accounts (May 2022)](https://msrc.microsoft.com/blog/2022/05/pre-hijacking-attacks/) - [https://salmonsec.com/cheatsheet/account_takeover](https://salmonsec.com/cheatsheet/account_takeover) +- [Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy (NDSS 2026 paper & dataset)](https://github.com/sbaresearch/whatsapp-census) {{#include ../banners/hacktricks-training.md}}