Naresh LamGade
Naresh LamGadeWe all know about it, WhatsApp is an instant messaging app for smartphones. WhatsApp Messenger is a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS. (Read More )
WhatsApp is free to download and try for the first year. After, you have the option of extending your subscription for $0.99 USD per year. This vulnerabilities exist in the WhatsApp payment processing system with Paypal which is not encrypted.
https://www.whatsapp.com/payments/paypal.php?phone=97798XXXXXXX&cksum=e39fe530c7c159b713b2f8765e6435b3&sku=1&lg=en&lc=US
Here sku=1
which is for 1 year ,
sku=2 for 3 years and sku=3 for 5 years.
<form id="paypal" action="https://www.paypal.com/cgi-bin/webscr" method="post">
<div>
<input type="hidden" name="custom" value="purchaser=97798XXXXXXX&list=97798XXXXXXXX">
<input type="hidden" name="business" value="paypal@whatsapp.com">
<input type="hidden" name="item_name" value="One year of WhatsApp service for phone +977 981-7004791">
<input type="hidden" name="item_number" value="1">
<input type="hidden" name="amount" value="0.99">
<input type="hidden" name="invoice" value="519CC73F-2122-4282-B425-4F9EC56925A9">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="notify_url" value="http://p.whatsapp.net/pay_http:ebay_paypal">
<input type="hidden" name="return" value="https://www.whatsapp.com/payments/success.php">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="no_shipping" value="1">
With this vulnerability, any WhatsApp user can increase their subscription age even by paying small $0.01 for 5 years.
I reported this issue to the WhatsApp team and their response :
Even though there was no reward for this but still an extra free year subscription was added to my account.
Naresh LamGade