Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/9/2018
02:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Weakness in WhatsApp Enables Large-Scale Social Engineering

Problem lies in WhatsApp's validation of message parameters and cannot be currently mitigated, Check Point researchers say.

Researchers at Check Point Software Technologies say they have discovered a dangerous weakness in the WhatsApp messaging app that gives threat actors a way to manipulate content in private and group conversations on the platform without raising any red flags.

The security vendor this week published a report demonstrating how an adversary could exploit the issue to change the identity of a message sender, alter the text of message replies, and send private messages spoofed as a public message to individual participants in a group.

In a statement, a spokeswoman for the Facebook-owned WhatsApp said the company had reviewed the issue and found it to be the equivalent of someone altering an email to make the content appear like something a person never wrote. "This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp," the statement noted. 

But Oded Vanunu, head of product vulnerability research at Check Point, says his company has not claimed the issue has anything to do with the security of WhatsApp's encryption at all. By raising the encryption issue, WhatsApp is only deflecting attention from the real problem: a fundamental weakness that exists in WhatsApp's validation of key message parameters.

The weakness gives attackers a way to manipulate key attributes of a WhatsApp message before it is encrypted. For example, an attacker could use the "quote" feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. Or they could exploit the weakness to alter the text of another person's reply to make it appear as if they said something they never did. An attacker could also exploit the issue to trick a targeted individual into thinking they are sharing information in a private conversation when in reality it is visible to everyone else in a group.

In each case, the manipulation happens before the encryption happens — but since WhatsApp does not have a way to catch this manipulation, the altered messages simply get encrypted and delivered to the recipient. "The encryption works as expected," Vanunu says. "The manipulation exists before the encryption via message parameters."

WhatsApp currently has some 1.5 billion users, 450 million of whom use it daily to send text messages, share images and video, and make phone and video calls. WhatsApp is used widely not just by consumers but also by businesses and governments for sensitive conversations involving confidential information and other data that could even end up being used in a court of law, Vanunu says. Therefore, the potential for threat actors to exploit the weakness to carry out social engineering on a massive scale is very real, he says.

He points to recent incidents in India, where WhatsApp-borne rumors resulted in the lynching of several innocent people, and a disinformation campaign in Brazil involving the yellow fever vaccine as examples of how the platform already is being abused for social engineering. "We are talking about 65 billion messages sent every day," he says. "We want people to understand that WhatsApp messages can be manipulated to trigger fake news."

Vanunu describes the problem as a fundamental design issue in WhatsApp that currently cannot be mitigated. He says Check Point used a commonly available tool for intercepting network packets to understand how WhatsApp's protocol works, and it quickly identified the parameters that are actually sent between the mobile version of WhatsApp and the web version.

The parameters of particular interest were "conversation," which pertains to the actual content being sent or received; "participant," referring to the message sender; "fromMe," indicating if the user personally sent the message or someone else did; "remoteJid," indicating the group or contact to which the message is sent; and "id," the identity associated with the data.

Check Point found that it could relatively easily manipulate the parameters either via the browser in the web version of WhatsApp or by using an automated tool it developed to intercept and manipulate the communication between the mobile and web versions of the app.

"The mobile app is the back end if you are using WhatsApp Web," he says. Everything that a user does on WhatsApp Web is synced directly with his or her mobile device. When a user sends a message on WhatsApp Web, the message is actually being sent from the mobile device, and that is where the encryption happens. What Check Point discovered is that if someone manipulates the parameters via the browser or automated tool and hits the "send" button on a message, the mobile app just encrypts and sends the message without any validation.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.