More than 1.5 billion people in over 180 countries use WhatsApp, the messaging app owned by Facebook. The average user checks WhatsApp over 23 times a day. And the number of app users in the US is projected to grow to 25.6 million by 2021.
With all the chatter out there, the potential for online scams, rumors, and fake news is enormous. The attackers have an additional weapon in their arsenal, allowing them to use the messaging platform for their evil plans.
In late 2018, Check Point Research notified WhatsApp of new application vulnerabilities that would allow attackers to intercept and process messages sent in both private and group conversations, making it possible to create and spread misinformation from seemingly trusted sources.
Check Point Research has identified three potential attacks that exploit this vulnerability, each involving social engineering tactics to trick end users. An attacker can:
Following its Responsible Disclosure Guidelines, Check Point Research informed WhatsApp of its findings. From Check Point Research's perspective, these vulnerabilities are critical and require attention.
To demonstrate the severity of this vulnerability in WhatsApp, a tool has been created that allows you to decrypt WhatsApp communications and spoof messages.
As you know, the messenger encrypts every message, image, call, video or any other type of content you send so that only the recipient can see it. WhatsApp is unable to view these messages.
These encryption processes got attention, and Check Point Research decided to try changing the WhatsApp algorithm for decrypting data.
By converting protobuf2 data to Json, Check Point Research was able to see the actual parameters sent and manipulate them to verify the security of WhatsApp.
The result of a study by the Check Point Research group is the Burp Suite extension (more detailed info is available in Google) and three attack methods (the third vulnerability has been fixed, so the article will describe two attacks).
However, to launch the attack, you first need to get the session private and public key and fill in the corresponding fields in the burpsuit extension .
Retrieving Keys
Keys can be obtained at the stage of generating keys in WhatsApp Web before generating a QR code:
Public and private message keys.
After these keys have been taken, you need to select the "secret" parameter, which is sent by the mobile phone to WhatsApp Web while the user scans the QR code.
"Secret" key from WebSocket.
As a result, the extension.
Burp Suit Extension - WhatsApp Decoder
After clicking Connect, the extension connects to the local extension server, which performs all the necessary tasks.
Manipulating WhatsApp
By decrypting the WhatsApp communication, Check Point Research was able to see all the parameters that are actually transferred between the mobile version of WhatsApp and the web version. This allowed them to be manipulated and started looking for security problems.
This has led to many types of attacks, described below.
Attack 1. Changing the identity of the sender in a group chat, even if he is not a member of the group
In this attack, it is possible to spoof the response message to impersonate another member of the group and even a non-existent member of the group, such as "Mickey Mouse".
To impersonate someone from the group, an attacker only needs to intercept encrypted traffic.
Encrypted WhatsApp Communication.
After capturing traffic, it can simply send it to the extension, which will then decrypt the traffic.
Decrypt WhatsApp message using extension
Key parameters:
For example, it becomes possible to change the message to something else. For example, a message with the content “Great!” Sent by a member of the group can be changed to something else, for example: “I'm going to die, in a hospital right now!” - and the member's parameter can also be changed to someone something else from the group.
Note that the ID needs to be changed to something else because it appeared in the database since the message was sent.
For everyone to see the new fake message, the attacker needs to respond to the message he forged by quoting and modifying that message (“Great”) so that it can be sent to everyone in the group.
As you can see in the screenshot below, a new group has been created where no one has posted messages yet, and using the method described above, a fake reply was generated.
Initial conversation.
The participant parameter can be the text or phone number of a person who is not in the group, which will make everyone in the group believe that it was actually sent by this participant.
Modifying the content of a message using a debug tool
This will be sent again to everyone in the group as before.
Reply to a message sent by someone outside the group.
Attack 2. Changing the text of someone's answer
In this attack, an attacker can manipulate the chat by sending messages to himself on behalf of another person, as if it came from him. Thus, one could blame the person or make a fraudulent deal.
To fake a message, you need to change the "fromMe" parameter in it, which indicates who sent the message in private chat.
This time, the outgoing message was received from WhatsApp Web even before it was sent to Burp Suite. To do this, you need to put a breakpoint on the aesCbcEncrypt function and get data from the "a" parameter.
Manipulation of outgoing messages.
This data was then copied into Burp Suite and the outbound direction was selected. When you click on "Decrypt", the extension will decrypt the data.
Outgoing message decryption.
After changing it to false and reverse encryption, the following result was obtained.
Outgoing message encryption.
Then you need to change the parameter "a" in the browser, and the result will be a push notification with content. Thus, you can even replace the entire chat.
Sending a message to yourself on behalf of someone else
Output
Another situation that demonstrates that it is worth paying more attention to seemingly even the most trusted sources of information on the Internet. After all, WhatsApp did not fix the last two vulnerabilities, which are quite simple to implement.
With all the chatter out there, the potential for online scams, rumors, and fake news is enormous. The attackers have an additional weapon in their arsenal, allowing them to use the messaging platform for their evil plans.
In late 2018, Check Point Research notified WhatsApp of new application vulnerabilities that would allow attackers to intercept and process messages sent in both private and group conversations, making it possible to create and spread misinformation from seemingly trusted sources.
Check Point Research has identified three potential attacks that exploit this vulnerability, each involving social engineering tactics to trick end users. An attacker can:
- Use the "quote" feature in a group conversation to change the sender's identity, even if that person is not a member of the group.
- Change the text of someone's response, essentially speaking for the other person.
- Send a private message disguised as a message for everyone in the chat to a specific member of the group, so when this “victim” responds, her response becomes visible to everyone in the conversation.
Following its Responsible Disclosure Guidelines, Check Point Research informed WhatsApp of its findings. From Check Point Research's perspective, these vulnerabilities are critical and require attention.
To demonstrate the severity of this vulnerability in WhatsApp, a tool has been created that allows you to decrypt WhatsApp communications and spoof messages.
As you know, the messenger encrypts every message, image, call, video or any other type of content you send so that only the recipient can see it. WhatsApp is unable to view these messages.
These encryption processes got attention, and Check Point Research decided to try changing the WhatsApp algorithm for decrypting data.
By converting protobuf2 data to Json, Check Point Research was able to see the actual parameters sent and manipulate them to verify the security of WhatsApp.
The result of a study by the Check Point Research group is the Burp Suite extension (more detailed info is available in Google) and three attack methods (the third vulnerability has been fixed, so the article will describe two attacks).
However, to launch the attack, you first need to get the session private and public key and fill in the corresponding fields in the burpsuit extension .
Retrieving Keys
Keys can be obtained at the stage of generating keys in WhatsApp Web before generating a QR code:
Public and private message keys.
After these keys have been taken, you need to select the "secret" parameter, which is sent by the mobile phone to WhatsApp Web while the user scans the QR code.
"Secret" key from WebSocket.
As a result, the extension.
Burp Suit Extension - WhatsApp Decoder
After clicking Connect, the extension connects to the local extension server, which performs all the necessary tasks.
Manipulating WhatsApp
By decrypting the WhatsApp communication, Check Point Research was able to see all the parameters that are actually transferred between the mobile version of WhatsApp and the web version. This allowed them to be manipulated and started looking for security problems.
This has led to many types of attacks, described below.
Attack 1. Changing the identity of the sender in a group chat, even if he is not a member of the group
In this attack, it is possible to spoof the response message to impersonate another member of the group and even a non-existent member of the group, such as "Mickey Mouse".
To impersonate someone from the group, an attacker only needs to intercept encrypted traffic.
Encrypted WhatsApp Communication.
After capturing traffic, it can simply send it to the extension, which will then decrypt the traffic.
Decrypt WhatsApp message using extension
Key parameters:
- conversation - content that is being sent;
- participant - the participant who sent the content;
- fromMe - This parameter indicates whether I submitted data or someone else in the group;
- remoteJid - This parameter indicates to which group or contact the data is sent;
- id - data identifier. The same identifier will appear in the telephone databases.
For example, it becomes possible to change the message to something else. For example, a message with the content “Great!” Sent by a member of the group can be changed to something else, for example: “I'm going to die, in a hospital right now!” - and the member's parameter can also be changed to someone something else from the group.
Note that the ID needs to be changed to something else because it appeared in the database since the message was sent.
For everyone to see the new fake message, the attacker needs to respond to the message he forged by quoting and modifying that message (“Great”) so that it can be sent to everyone in the group.
As you can see in the screenshot below, a new group has been created where no one has posted messages yet, and using the method described above, a fake reply was generated.
Initial conversation.
The participant parameter can be the text or phone number of a person who is not in the group, which will make everyone in the group believe that it was actually sent by this participant.
Modifying the content of a message using a debug tool
This will be sent again to everyone in the group as before.
Reply to a message sent by someone outside the group.
Attack 2. Changing the text of someone's answer
In this attack, an attacker can manipulate the chat by sending messages to himself on behalf of another person, as if it came from him. Thus, one could blame the person or make a fraudulent deal.
To fake a message, you need to change the "fromMe" parameter in it, which indicates who sent the message in private chat.
This time, the outgoing message was received from WhatsApp Web even before it was sent to Burp Suite. To do this, you need to put a breakpoint on the aesCbcEncrypt function and get data from the "a" parameter.
Manipulation of outgoing messages.
This data was then copied into Burp Suite and the outbound direction was selected. When you click on "Decrypt", the extension will decrypt the data.
Outgoing message decryption.
After changing it to false and reverse encryption, the following result was obtained.
Outgoing message encryption.
Then you need to change the parameter "a" in the browser, and the result will be a push notification with content. Thus, you can even replace the entire chat.
Sending a message to yourself on behalf of someone else
Output
Another situation that demonstrates that it is worth paying more attention to seemingly even the most trusted sources of information on the Internet. After all, WhatsApp did not fix the last two vulnerabilities, which are quite simple to implement.
