devlikeapro
π΅ Bug Bounty β $2,100 if You Can Bypass WAHA API Key Validation
π€ Human-Only Submissions
If you made the report with GPT/LLM/Agents - donβt send it. GPT-generated crap will not be reviewed. Give the human steps to follow, assuming we have WAHA installation already, just plain curl or commands
π΅ Bug Bounty β $2,100 if You Can Bypass WAHA API Key Validation
Hi π
We're offering 2,100 USDT to anyone who can bypass the WAHA_API_KEY check on the WAHA HTTP API and:
- Send a WhatsApp message
- Or fetch the session list
Conditions:
- Installed using the guide https://waha.devlike.pro/docs/how-to/install/
WAHA_API_KEYis a SHA-512 hash of a random UUIDv4- HTTPS connection (so you can not inspect the traffic)
devlikeapro/wahaimage is enough, no WAHA Plus required- No knowledge of the api key should be assumed
How to submit: Email your exploit privately to [email protected] with steps, payloads, and evidence.
Notes:
- First valid report wins (if reports about the same exploit)
- No known or theoretical issues β must be reproducible
- Related source code you can find in /src/core/auth folder!
Thanks for helping secure WAHA! π
I had subscribed to WAHA, but after 1β2 months, my account got hacked. I had kept the default username/password (my mistake), but I never shared my server IP with anyone, so itβs unclear how it was accessed.
Now, WhatsApp accounts linked to my WAHA started sending random marketing messages β even international ones β and a new WhatsApp number also appeared on my installation. Can you please help me look into this?
I had subscribed to WAHA, but after 1β2 months, my account got hacked. I had kept the default username/password (my mistake), but I never shared my server IP with anyone, so itβs unclear how it was accessed.
Now, WhatsApp accounts linked to my WAHA started sending random marketing messages β even international ones β and a new WhatsApp number also appeared on my installation. Can you please help me look into this?
May be you was a victim of scanning sites like shodan, several hackers scan for login sites and they try with default login and password...
I never shared my server IP with anyone, so itβs unclear how it was accessed.
Correct, https://www.shodan.io/ is pretty easy to use
Hello, good evening everyone!
I have information about the bug and the alleged scams.
Here's my contact information:
β¬οΈCheck your emails guysβ¬οΈ
- @Robson-Rissato
- @bobykurniawan11
- @necto-cms
100 USDT bug bounty sent, thanks to anonymous who found gh tokens in the internet :)
Not related to WAHA API tho, so we're safe for now
Hello, I've submitted a report 3 days ago - can you confirm that was received?
I want to ask: if I submit the exploit to get some features on WAHA that are only available on WAHA Plus, what will I get from this or its not valid?
where you send this ?
On Mon, Sep 15, 2025, 10:31 devlikeapro @.***> wrote:
devlikepro left a comment (devlikeapro/waha#1076) https://github.com/devlikeapro/waha/issues/1076#issuecomment-3290351919
β¬οΈCheck your emails guysβ¬οΈ
- @Robson-Rissato https://github.com/Robson-Rissato
- @bobykurniawan11 https://github.com/bobykurniawan11
- @necto-cms https://github.com/necto-cms
100 USDT bug bounty sent, thanks to anonymous who found gh tokens in the internet :)
Not related to WAHA API tho, so we're safe for now
[image: patron:PRO] https://waha.devlike.pro/docs/how-to/plus-version/#tiers
β Reply to this email directly, view it on GitHub https://github.com/devlikeapro/waha/issues/1076#issuecomment-3290351919, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQAMNGU3AX3IXWFZASGBCJD3SYXI5AVCNFSM6AAAAACACLKRJCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTEOJQGM2TCOJRHE . You are receiving this because you were mentioned.Message ID: @.***>
β¬οΈCheck your emails guysβ¬οΈ
100 USDT bug bounty sent, thanks to anonymous who found gh tokens in the internet :)
Not related to WAHA API tho, so we're safe for now
Would you please provide more information about this. What is it? and how does it relate to WAHA API?
