Vulnerabilities uncovered in WhatsApp — the messaging app used by about 1.5 billion users across the world — can allow bad actors to exploit the platform to manipulate or spoof chat messages.
The flaws would make it possible to “intercept and manipulate messages sent in both private and group conversations, giving attackers the power to create and spread misinformation from what appear to be trusted sources,” the researchers noted.
Details of the vulnerabilities were disclosed by Israeli cybersecurity firm Checkpoint Research at Black Hat 2019 security conference in Las Vegas on August 7.
Checkpoint, in particular, notes three kinds of social engineering tactics:
- Manipulate WhatsApp’s quoting feature to make it look like someone had written something they had not.
- Alter and reword the text of user’s response, thereby “putting words in their mouth.”
- Trick users into sending a private message to one person, when — in reality — their reply went to a more public WhatsApp group.
The researchers said they alerted WhatsApp about the flaws in August last year, and that the company addressed only the third vulnerability. But they added the other two remain exploitable to this day and could be potentially misused by cybercriminals for malicious intentions.
Breaking the encryption barrier
WhatsApp remains one of the most popular messaging platform, including countries like India where it’s used by over 400 million users. Its ubiquity has made it an actively exploited platform for spreading malicious information, hate speech, fake news, and other forms of sexually explicit content.
Complicating the matter further is WhatsApp’s end-to-end encryption of all communications, which makes it harder for the Facebook-owned messaging app — or even the law enforcement agencies — to monitor and verify the authenticity of the messages.
Checkpoint’s Burp Suit Extension — which it demonstrated at the conference — effectively breaks this encryption barrier to decrypt chat messages, and therefore make it open to manipulation.
To achieve this, the researchers exploited the web version of WhatsApp that allows users to pair their phone using a QR code.
By obtaining the private and public key pair created before a QR code is generated, and the “secret” parameter that is sent by the mobile phone to WhatsApp Web while the user scans the QR code, the extension makes it easy to monitor and decrypt communications on the fly.
So, it appears that in order to exploit the vulnerability, the attacker will need to hook up their mobile device to the extension (see video above) in order to be able to perpetrate the attack. We’ve reached out to Checkpoint for more details. We’ll update the story once we hear back.
Once the web traffic — containing details like participant details, the actual conversation, and a unique ID — is captured, the researchers said the flaws allowed them to spoof message replies, alter message content, and even “manipulate the chat by sending a message back to the sender on behalf of the other person, as if it had come from them.”
With WhatsApp becoming a major platform for news distribution, the exploit could have serious implications as it undermines trust and puts the integrity of the messages in question.
Facebook, for its part, has communicated to the researchers that the other two issues could not be resolved due to “infrastructure limitations” on WhatsApp.
When news of the vulnerability broke last year, the company said making the changes Checkpoint suggested would force WhatsApp to log all messages — which it said it was not ready to do for privacy reasons, once again highlighting the trade-offs between privacy and security.
A Facebook spokesperson gave us the following statement:
We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private — such as storing information about the origin of messages.
The messaging service is currently rumored to be working on a standalone desktop version, which if true, could limit the extent to which these flaws could be leveraged in the wild.
But the spread of misinformation on WhatsApp has been a major headache for the company, particularly in India, where fake rumors circulated on the chat app led to a series of mob lynchings last year.
While WhatsApp has tried to address the issue by imposing message forward limits, the Indian government has been after the company to ensure traceability of every message sent on its platform without breaking its encryption.
(The story has been updated with a statement from Facebook.)