Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/9/2018
02:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Weakness in WhatsApp Enables Large-Scale Social Engineering

Problem lies in WhatsApp's validation of message parameters and cannot be currently mitigated, Check Point researchers say.

Researchers at Check Point Software Technologies say they have discovered a dangerous weakness in the WhatsApp messaging app that gives threat actors a way to manipulate content in private and group conversations on the platform without raising any red flags.

The security vendor this week published a report demonstrating how an adversary could exploit the issue to change the identity of a message sender, alter the text of message replies, and send private messages spoofed as a public message to individual participants in a group.

In a statement, a spokeswoman for the Facebook-owned WhatsApp said the company had reviewed the issue and found it to be the equivalent of someone altering an email to make the content appear like something a person never wrote. "This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp," the statement noted. 

But Oded Vanunu, head of product vulnerability research at Check Point, says his company has not claimed the issue has anything to do with the security of WhatsApp's encryption at all. By raising the encryption issue, WhatsApp is only deflecting attention from the real problem: a fundamental weakness that exists in WhatsApp's validation of key message parameters.

The weakness gives attackers a way to manipulate key attributes of a WhatsApp message before it is encrypted. For example, an attacker could use the "quote" feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. Or they could exploit the weakness to alter the text of another person's reply to make it appear as if they said something they never did. An attacker could also exploit the issue to trick a targeted individual into thinking they are sharing information in a private conversation when in reality it is visible to everyone else in a group.

In each case, the manipulation happens before the encryption happens — but since WhatsApp does not have a way to catch this manipulation, the altered messages simply get encrypted and delivered to the recipient. "The encryption works as expected," Vanunu says. "The manipulation exists before the encryption via message parameters."

WhatsApp currently has some 1.5 billion users, 450 million of whom use it daily to send text messages, share images and video, and make phone and video calls. WhatsApp is used widely not just by consumers but also by businesses and governments for sensitive conversations involving confidential information and other data that could even end up being used in a court of law, Vanunu says. Therefore, the potential for threat actors to exploit the weakness to carry out social engineering on a massive scale is very real, he says.

He points to recent incidents in India, where WhatsApp-borne rumors resulted in the lynching of several innocent people, and a disinformation campaign in Brazil involving the yellow fever vaccine as examples of how the platform already is being abused for social engineering. "We are talking about 65 billion messages sent every day," he says. "We want people to understand that WhatsApp messages can be manipulated to trigger fake news."

Vanunu describes the problem as a fundamental design issue in WhatsApp that currently cannot be mitigated. He says Check Point used a commonly available tool for intercepting network packets to understand how WhatsApp's protocol works, and it quickly identified the parameters that are actually sent between the mobile version of WhatsApp and the web version.

The parameters of particular interest were "conversation," which pertains to the actual content being sent or received; "participant," referring to the message sender; "fromMe," indicating if the user personally sent the message or someone else did; "remoteJid," indicating the group or contact to which the message is sent; and "id," the identity associated with the data.

Check Point found that it could relatively easily manipulate the parameters either via the browser in the web version of WhatsApp or by using an automated tool it developed to intercept and manipulate the communication between the mobile and web versions of the app.

"The mobile app is the back end if you are using WhatsApp Web," he says. Everything that a user does on WhatsApp Web is synced directly with his or her mobile device. When a user sends a message on WhatsApp Web, the message is actually being sent from the mobile device, and that is where the encryption happens. What Check Point discovered is that if someone manipulates the parameters via the browser or automated tool and hits the "send" button on a message, the mobile app just encrypts and sends the message without any validation.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21510
PUBLISHED: 2021-03-08
Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections.
CVE-2020-27575
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.
CVE-2020-27576
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site scripting (XSS). Users are able to create folders in the web application. The folder name is insufficiently validated resulting in a stored cross-site scripting vulnerability.
CVE-2020-27838
PUBLISHED: 2021-03-08
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulner...
CVE-2021-21503
PUBLISHED: 2021-03-08
PowerScale OneFS 8.1.2,8.2.2 and 9.1.0 contains an improper input sanitization issue in a command. The Compadmin user could potentially exploit this vulnerability, leading to potential privileges escalation.