WhatsApp, the hugely popular Facebook-owner messaging application, has recently come under scrutiny as multiple vulnerabilities have been uncovered. With over 1 billion users and more than 60 billion messages sent every day, security flaws are a serious concern as they have the potential to have far-reaching impacts across the world. Researchers at Israeli security company Check Point have brought to light the security flaws in WhatsApp’s protocols and design framework, which have a loophole enabling the creation and spreading of fake news under the guise of “trusted sourcesâ€. Essentially, malicious users are able to intercept and modify the content of messages sent through both private and group conversations. This can be an easy way of spreading fake news. What are the possible “attacksâ€? The problem lies with how the WhatsApp mobile apps connect with the corresponding WhatsApp Web, and the way it decrypts encrypted messages using the protobuf2 protocol. Specifically, the “quote†feature is where the vulnerability is exemplified. Hackers can use this feature to perform 3 types of attacks: Change the identity of the original sender
- impersonate another person from the group, or even a non-existent group member by simplify changing the name of the person being quoted.
Modify the content of someone else’s message in a group chat
- put words in their mouth and mislead others. Make it seem like someone said something controversial or offensive.
Send private messages to a group participant disguised as a message to everyone
- the target participant will see one message while everyone else sees something else, but nobody realizes this is happening. Only if the targeted participant replies then the content gets exposed to everybody.
How were these security flaws discovered? The team of security researchers at Check Point (Dikla Barda, Roman Zaikin, and Oded Vanunu) first decrypted the network request of messages being sent via the app. They did this by creating a custom extension for Burp Suite, a popular security software web application. This extension allowed them to easily intercept messages so they could analyse their structure and look for loopholes. By analysing the decrypted message, they could see all the parameters and variables being used in the messages sent between the mobile app and the web version of WhatsApp. This opened the window of opportunity for manipulating these, and it was quickly discovered that they could modify messages, the sender and target recipient. It’s worth noting that these exploits can only be performed by members of the group conversation, rather than a 3rd party attacker or someone sniffing the network. However, it’s still a critical security flaw because attackers can achieve all kinds of malicious objectives, including spreading misinformation and fake news, or creating false evidence in their favor. Check Point has urgently informed WhatsApp about these security flaws, as it’s essential they get addressed as soon as possible. The current status is that they’re being investigated further, so we’re waiting for an update from WhatsApp themselves on the matter.
For more tutorials, news, and resources on hacking and cybersecurity, visit our blog at DarkbyteGear.com.