Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/9/2018
02:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Weakness in WhatsApp Enables Large-Scale Social Engineering

Problem lies in WhatsApp's validation of message parameters and cannot be currently mitigated, Check Point researchers say.

Researchers at Check Point Software Technologies say they have discovered a dangerous weakness in the WhatsApp messaging app that gives threat actors a way to manipulate content in private and group conversations on the platform without raising any red flags.

The security vendor this week published a report demonstrating how an adversary could exploit the issue to change the identity of a message sender, alter the text of message replies, and send private messages spoofed as a public message to individual participants in a group.

In a statement, a spokeswoman for the Facebook-owned WhatsApp said the company had reviewed the issue and found it to be the equivalent of someone altering an email to make the content appear like something a person never wrote. "This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp," the statement noted. 

But Oded Vanunu, head of product vulnerability research at Check Point, says his company has not claimed the issue has anything to do with the security of WhatsApp's encryption at all. By raising the encryption issue, WhatsApp is only deflecting attention from the real problem: a fundamental weakness that exists in WhatsApp's validation of key message parameters.

The weakness gives attackers a way to manipulate key attributes of a WhatsApp message before it is encrypted. For example, an attacker could use the "quote" feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. Or they could exploit the weakness to alter the text of another person's reply to make it appear as if they said something they never did. An attacker could also exploit the issue to trick a targeted individual into thinking they are sharing information in a private conversation when in reality it is visible to everyone else in a group.

In each case, the manipulation happens before the encryption happens — but since WhatsApp does not have a way to catch this manipulation, the altered messages simply get encrypted and delivered to the recipient. "The encryption works as expected," Vanunu says. "The manipulation exists before the encryption via message parameters."

WhatsApp currently has some 1.5 billion users, 450 million of whom use it daily to send text messages, share images and video, and make phone and video calls. WhatsApp is used widely not just by consumers but also by businesses and governments for sensitive conversations involving confidential information and other data that could even end up being used in a court of law, Vanunu says. Therefore, the potential for threat actors to exploit the weakness to carry out social engineering on a massive scale is very real, he says.

He points to recent incidents in India, where WhatsApp-borne rumors resulted in the lynching of several innocent people, and a disinformation campaign in Brazil involving the yellow fever vaccine as examples of how the platform already is being abused for social engineering. "We are talking about 65 billion messages sent every day," he says. "We want people to understand that WhatsApp messages can be manipulated to trigger fake news."

Vanunu describes the problem as a fundamental design issue in WhatsApp that currently cannot be mitigated. He says Check Point used a commonly available tool for intercepting network packets to understand how WhatsApp's protocol works, and it quickly identified the parameters that are actually sent between the mobile version of WhatsApp and the web version.

The parameters of particular interest were "conversation," which pertains to the actual content being sent or received; "participant," referring to the message sender; "fromMe," indicating if the user personally sent the message or someone else did; "remoteJid," indicating the group or contact to which the message is sent; and "id," the identity associated with the data.

Check Point found that it could relatively easily manipulate the parameters either via the browser in the web version of WhatsApp or by using an automated tool it developed to intercept and manipulate the communication between the mobile and web versions of the app.

"The mobile app is the back end if you are using WhatsApp Web," he says. Everything that a user does on WhatsApp Web is synced directly with his or her mobile device. When a user sends a message on WhatsApp Web, the message is actually being sent from the mobile device, and that is where the encryption happens. What Check Point discovered is that if someone manipulates the parameters via the browser or automated tool and hits the "send" button on a message, the mobile app just encrypts and sends the message without any validation.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...