Research By: Dikla Barda, Roman Zaikin and Oded Vanunu
According to sources, WhatsApp, the Facebook-owned messaging application has over 1.5 billion users in over 180 countries. The average user checks WhatsApp more than 23 times per day. And, the number of WhatsApp users in USA is predicted to grow to 25.6 million by 2021.
Given all the chatter, the potential for online scams, rumors and fake news is huge. Threat actors have an additional weapon in their arsenal to leverage the messaging platform for their malicious intentions.
Towards the end of 2018, Check Point Research notified WhatsApp about new vulnerabilities in the popular messaging application that would enable threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers the power to create and spread misinformation from what appear to be trusted sources.
The Check Point Research team observed three possible methods of attack exploiting this vulnerability – all of which involve social engineering tactics to fool end-users. A threat actor may:
WhatsApp fixed the 3rd vulnerability which enabled threat actors to send a private message to another group participant disguised as a public message for all. But, we found that it is still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources.
Following the process of Responsible Disclosure, Check Point Research informed WhatsApp of its findings. From Check Point Research’s perspective, we believe these vulnerabilities to be of the utmost importance and require attention.
To demonstrate the severity of this vulnerability in WhatsApp, we created a tool that allows us to decrypt WhatsApp communication and spoof the messages.
As is well-known, WhatsApp encrypts every message, picture, call, video or any other type of content you send so that only the recipient can see it. WhatsApp does not have the ability to view these messages.
Figure 1: WhatsApp Encrypted Chat
These encryption processes caught our attention, and we decided to try to reverse the WhatsApp’s algorithm to decrypt the data. Indeed, after decrypting the WhatsApp communication, we found that WhatsApp is using the “protobuf2 protocol” to do so.
By converting this protobuf2 data to Json we were able to see the actual parameters that are sent and manipulate them in order to check WhatsApp’s security.
The outcome of our research is a Burp Suit Extension and 3 Manipulation methods (the 3rd one was fixed our we disclosure the vulnerability to WhatsApp)
To start the manipulation, though, we first have to get the private and public key of our session and fill it in our burpsuit extension.
If you are interested in a detailed explanation about how the encryption actually works behind the scenes, please read the technical details from our blog at 2018:
Accessing the Keys
The keys can be obtained from the key generation phase from WhatsApp Web before the QR code is generated:
Figure 2: Public and Private Key of the Communication
After we take these keys, we need to take the “secret” parameter which is sent by the mobile phone to WhatsApp Web while the user scans the QR code:
Figure 3: The Secret Key from the WebSocket
As a result of this, our extension will look like the below:
Figure 4: WhatsApp Decoder Burp Extension
After clicking on “Connect”, the extension connects to the extension’s local server, which performs all the tasks required for the extension.
By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This enabled us to then manipulate them and start looking for security issues.
This resulted in us to carry out a variety of attack types described below:
Attack 1: Change the Identity of a Sender in a Group Chat, Even If They Are Not a Member of the Group
In this attack, it is possible to spoof a reply message to impersonate another group member and even a non-existing group member, for example, ‘Mickey Mouse’.
To impersonate someone from the group, all the attacker need do is catch the encrypted traffic:
Figure 5: Encrypted WhatsApp Communication
Once the traffic is captured, he can simply send it to an extension which will then decrypt the traffic:
Figure 6: Decrypting the WhatsApp Message
By Using Our Extension
The interesting parameters to note here are:
And this is the point where interesting things begin to happen…
For example, we can change the conversation to something else. The message with the content “Great!” sent by a member of a group, for instance, could be changed to something else like: “I’m going to die in a hospital right now” and the participant parameter could also be changed to someone else from the group:
Figure 7: A Spoofed Reply Message
Note that we have to change the id to something else because it is already sent and appears in the database.
In order to make everyone see the new spoofed message the attacker needs to reply to the message he spoofed, quoting and changing that message (“Great”) in order for it be sent to everyone in the group.
As you can see in the below screenshot, we created a new group where no previous messages were sent, and by using the method from above we were able to create a fake reply.
Figure 8: The Original Conversation
The ‘participant’ parameter can also be a text or a phone number of someone that is not in the group, which would cause everyone in the group to believe that it is actually sent from this participant.
Figure 9: Changing The Content Of The Message
By Using Our Debugging Tool
…and the result will look like this:
This would again be sent to everyone in the group as before.
Figure 10: Reply To a Message That Sent From
Someone Outside of the Group
Attack 2: Changing a Correspondent’s Reply To Put Words in Their Mouth
In this attack, the attacker is able to manipulate the chat by sending a message back to himself on behalf of the other person, as if it had come from them. By doing so, it would be possible to incriminate a person, or close a fraudulent deal, for example.
In order to spoof the messages, we have to manipulate the ‘fromMe’ parameter in the message, which indicates who sent the message in the personal chat.
This time we will capture the outgoing message from WhatsApp Web before it is even sent to our Burp Suite. In order to do that, we can put a break point on the aesCbcEncrypt function and take the data from the ‘a’ parameter:
Figure 11: OutGoing Message Manipulation
We will then copy this data to our Burp extension and select the outgoing direction. By pressing on “Decrypt”, our extension will decrypt the data:
Figure 12: Decryption of Outgoing Message
After changing it to false and encrypting it back we then get the below result:
Figure 13: Encryption of Outgoing Message
We have to then modify the ‘a’ parameter in our browser, and the result will be a push notification with the content. In this way, it is even possible to spoof the entire chat.
Figure 14: Sending Messages To Myself
on Behalf of Someone Else.
The whole conversation will then look like this:
Figure 15: Sending Messages To Myself
on Behalf of Someone Else