Vulnerabilities / Threats

8/9/2018
02:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Weakness in WhatsApp Enables Large-Scale Social Engineering

Problem lies in WhatsApp's validation of message parameters and cannot be currently mitigated, Check Point researchers say.

Researchers at Check Point Software Technologies say they have discovered a dangerous weakness in the WhatsApp messaging app that gives threat actors a way to manipulate content in private and group conversations on the platform without raising any red flags.

The security vendor this week published a report demonstrating how an adversary could exploit the issue to change the identity of a message sender, alter the text of message replies, and send private messages spoofed as a public message to individual participants in a group.

In a statement, a spokeswoman for the Facebook-owned WhatsApp said the company had reviewed the issue and found it to be the equivalent of someone altering an email to make the content appear like something a person never wrote. "This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp," the statement noted. 

But Oded Vanunu, head of product vulnerability research at Check Point, says his company has not claimed the issue has anything to do with the security of WhatsApp's encryption at all. By raising the encryption issue, WhatsApp is only deflecting attention from the real problem: a fundamental weakness that exists in WhatsApp's validation of key message parameters.

The weakness gives attackers a way to manipulate key attributes of a WhatsApp message before it is encrypted. For example, an attacker could use the "quote" feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. Or they could exploit the weakness to alter the text of another person's reply to make it appear as if they said something they never did. An attacker could also exploit the issue to trick a targeted individual into thinking they are sharing information in a private conversation when in reality it is visible to everyone else in a group.

In each case, the manipulation happens before the encryption happens — but since WhatsApp does not have a way to catch this manipulation, the altered messages simply get encrypted and delivered to the recipient. "The encryption works as expected," Vanunu says. "The manipulation exists before the encryption via message parameters."

WhatsApp currently has some 1.5 billion users, 450 million of whom use it daily to send text messages, share images and video, and make phone and video calls. WhatsApp is used widely not just by consumers but also by businesses and governments for sensitive conversations involving confidential information and other data that could even end up being used in a court of law, Vanunu says. Therefore, the potential for threat actors to exploit the weakness to carry out social engineering on a massive scale is very real, he says.

He points to recent incidents in India, where WhatsApp-borne rumors resulted in the lynching of several innocent people, and a disinformation campaign in Brazil involving the yellow fever vaccine as examples of how the platform already is being abused for social engineering. "We are talking about 65 billion messages sent every day," he says. "We want people to understand that WhatsApp messages can be manipulated to trigger fake news."

Vanunu describes the problem as a fundamental design issue in WhatsApp that currently cannot be mitigated. He says Check Point used a commonly available tool for intercepting network packets to understand how WhatsApp's protocol works, and it quickly identified the parameters that are actually sent between the mobile version of WhatsApp and the web version.

The parameters of particular interest were "conversation," which pertains to the actual content being sent or received; "participant," referring to the message sender; "fromMe," indicating if the user personally sent the message or someone else did; "remoteJid," indicating the group or contact to which the message is sent; and "id," the identity associated with the data.

Check Point found that it could relatively easily manipulate the parameters either via the browser in the web version of WhatsApp or by using an automated tool it developed to intercept and manipulate the communication between the mobile and web versions of the app.

"The mobile app is the back end if you are using WhatsApp Web," he says. Everything that a user does on WhatsApp Web is synced directly with his or her mobile device. When a user sends a message on WhatsApp Web, the message is actually being sent from the mobile device, and that is where the encryption happens. What Check Point discovered is that if someone manipulates the parameters via the browser or automated tool and hits the "send" button on a message, the mobile app just encrypts and sends the message without any validation.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
NC Water Utility Fights Post-Hurricane Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.