- Researchers uncovered several WhatsApp vulnerabilities during the Black Hat 2019 conference.
- The vulnerabilities allow bad actors to manipulate chat messages.
- Facebook doesn’t have a fix for the vulnerabilities.
WhatsApp’s recent security flaws allow bad actors to spoof chat messages and make them look like they came from you, reported Check Point Research yesterday. Check Point Research announced its findings during the Black Hat 2019 security conference.
According to the researchers, there were three ways of exploiting the vulnerabilities:
- Use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Alter the text of someone else’s reply, essentially putting words in their mouth.
- Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation.
Check Point informed WhatsApp of the vulnerabilities in August 2018. WhatsApp then fixed the third method. However, researchers found it’s still possible to manipulate quoted messages and spoof them. Check Point used its Burp Suit Extension to break WhatsApp’s end-to-end encryption and decrypt chat messages. The exploitable element here is the web version of WhatsApp, which uses QR codes to pair to your phone.
Check Point first obtained the public and private key pair created before WhatsApp generates a QR code. Combined with the “secret” parameter sent by your phone to the WhatsApp web client when you scan the QR code, the Burp Suit Extension makes it easy to monitor and decrypt messages.
We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private — such as storing information about the origin of messages.
Unfortunately, the company doesn’t seem to have a resolution for the WhatApp vulnerabilities. Because the messaging service uses end-to-end encryption, Facebook can’t access decrypted versions of messages. That means Facebook can’t intervene if bad actors exploit the aforementioned vulnerabilities.