In Black Hat USA 2019, Check Point researchers Roman Zaikin and Oded Vanunu have identified three attack modes in WhatsApp which can be exploited to intercept and manipulate users’ chats. Using these attack methods, attacker can also make private messages public and change sender identities. These Whatsapp Vulnerability security issues were already disclosed to WhatsApp last year. However, they remain exploitable even after one year.
Researchers said in Black Hat USA Session
“WhatsApp end-to-end encryption ensures that only you and the person you’re communicating with can read what’s sent, and nobody in between, not even WhatsApp. However, we managed to reverse-engineer WhatsApp web source code and successfully decrypted WhatsApp traffic. Reverse Engineering WhatsApp Encryption for Chat Manipulation and More.”
As per the Threatpost blog, Researchers found that the messaging platform uses the “protobuf2” protocol for encryption. By converting this protobuf2 data to Json, researchers were able to see the actual parameters for the messages that were sent and manipulate them in order to spoof messages.
What are the Security Issues?
- The attackers can disguise a private message as a public message and send it to a participant of a group. This causes the ‘private’ response from the targeted individual to be visible to everyone in the conversation.
- The attackers can use the ‘quote’ function of a group conversation to change the identity of the message sender, who is not even a member of the group.
- The attacker can alter someone’s reply or message and add bogus data into it.
Roman Zaikin said that this vulnerability can only be carried out by users in a conversation and cannot be carried out by someone sniffing the network due to the encrypted communication.