Hijacking Whatsapp accounts using the web version
- Transfer
Whatsapp accounts are based on phone numbers. This means that your phone number is your username, which is also used for authentication.
Although this is not the best solution from a privacy point of view, it often saves users who are not savvy from remembering another password that they can potentially enter in a phishing attack.
A brief overview of the login process:
When the application is launched for the first time, the user must enter his phone number. Verification code is sent to the number in the form of sms or call. After that, the code is entered into the application, the authentication token is stored on the device.
When a user uses a new device, the process must be repeated for this device and the old one will be deauthorized.
Whatsapp does not store old messages on their servers, so previous messages will not be transferred to the new device.
Of course, the process is actually more complex, but this simplification is suitable for the purposes of this article.
Convenience replaces security. The price of this is vulnerability to new attacks that can be used to gain access to a phone number. It also requires trust in the mobile operator, as it has full access to the number and can easily access the account.
By the attacker
From the point of view of the "low-budget" attacker, this is difficult to circumvent. There are only two workarounds:
1) Gaining access to the victim’s phone. As stated above, this can be obtained by various attacks on the network or by a mobile provider. Even if access to the phone number can be obtained, this will not give access to the message history and the victim will notice this, since her phone will be deauthorized.
2) Protect the phone itself and gain access to the data section. It is expensive.
Meet the new player
In 2015, whatsapp launched Whatsapp web, a site that allows you to send and receive messages from your computer. To use this, the browser must be “connected” to the phone, while the phone remains “at the head” of all this. Brief overview of the process:

Scanning the QR code shown on Whatsapp’s web page using a telephone, the browser is authorized. The user can then use whatsapp in the browser as long as the phone is connected to the network.
This procedure provides an opportunity for attackers. The trick is to use a scanned QR code and this will give full access to your account, including future and past communications. Bingo!
Attack description
It's simple: the attacker only has to force the user to scan the “malicious” QR code in order to authorize the attacker's browser. This will give him full access to whatsaupp's account.
The following image shows how it works:

To accomplish this, whatsapp should not display a static QR code on their registration page, but generate a different one every couple of seconds. This prevents attackers from simply copying code and posting on a new page.
Demo
This tool I developed using selenium to get QR codes and express.js + socket.io to display them on the page. If the victim scans this code using her phone, the document.cookie and localStorage browser selenium is saved to a file on the attacker's machine.
The data obtained can be used to log into the victim’s account using any browser.
→ Code on github