[aeonik]

Very cool attack, and easy to read write up.

I have one basic question: It was mentioned that attacking the encryption was skipped in favor of using a debugger.

Was this debugger applied to the WhatsApp Web app? Or was the debugger deployed on the phone? Was it an emulator?

For some reason I didn't think WhatsApp had a web app (I don't use it).

[ajb]

The article says "I decided to intercept a message via WA web".

[isaacfrond]

That was the initial idea, but it failed because Whatsapp traffic is end to end encrytped. The second idea, which actually worked, was to put a breakpoint in Whatsapp while running in an emulator.

[LelouBil]

No, not an emulator. Just using your browser's JavaScript debugger.

You can do that on any website.

[flutas]

Yeah, the article also says "WA web’s javascript was uglified and minified, however after a while of searching I found the right place."

[blincoln]

The article doesn't make it 100% unambiguous, IMO, but the debugger screenshot looks like a desktop browser's debugger. You could also potentially do the same thing in the mobile app using Frida.