*building a file sharing service on top of whatsapp

I built something that sounds a bit crazy. What if you could upload files up to 2GB for free, using infrastructure you already have access to?

The Idea

WhatsApp lets you send files up to 2GB. Their media infrastructure handles billions of uploads daily. So I thought: what if I could upload to their servers without actually sending files to anyone?

Turns out, you can.

How It Works

Here's the interesting part. WhatsApp uses end-to-end encryption for media. When you upload a file, it doesn't just go to their servers raw. There's a whole cryptographic dance happening.

The Upload

When you upload a file, whatsmeow does the following:

1. Generates a random 32-byte MediaKey
2. Encrypts the file using AES-256-CBC with keys derived from the MediaKey
3. Computes SHA256 hash of both the original file and encrypted file
4. Uploads the encrypted blob to WhatsApp's CDN
5. Returns a DirectPath (the URL path to the encrypted file)

type UploadResponse struct {
    DirectPath  string   // path to encrypted file on WhatsApp CDN
    MediaKey    []byte   // 32-byte key to decrypt the file
    FileEncHash []byte   // SHA256 of encrypted file
    FileSHA256  []byte   // SHA256 of original file
    FileLength  uint64   // original file size
}

The key insight: WhatsApp never sees your file. They only store encrypted blobs. The MediaKey never leaves your device (or in our case, our server).

The Download

When someone wants to download, we reconstruct the file:

1. Fetch the encrypted blob using DirectPath
2. Decrypt using the stored MediaKey
3. Verify integrity with SHA256 hashes
4. Stream the decrypted file to the user

WhatsApp's CDN thinks it's serving a normal media file to a WhatsApp client. It has no idea we're using it as a file sharing backend.

Why This Works

The upload and download endpoints don't care if the file ever gets sent in a message. You can upload media and just... keep the credentials. The file sits on their CDN for 30 days, accessible to anyone with the DirectPath and MediaKey.

Features

• Resumable uploads via tus protocol - resume failed 2GB uploads from where you left off
• Password protection - optional password on downloads
• Real-time stats - track uploads, downloads, bandwidth

Limitations

• 30 day expiry (WhatsApp's retention policy)
• 2GB max (WhatsApp's limit)
• Requires a dedicated WhatsApp account

Quick Start

git clone https://github.com/salman0ansari/whatsbox.git
cd whatsbox
docker compose up -d

Read more here.

Links

• GitHub
• whatsmeow - library that makes this possible