WhatsApp, the most popular messaging application in the world, has been found vulnerable to multiple security vulnerabilities that could allow malicious users to intercept and modify the content of messages sent in both private as well as group conversations.
Discovered by security researchers at Israeli security firm Check Point, the flaws take advantage of a loophole in WhatsApp’s security protocols to change the content of the messages, allowing malicious users to create and spread misinformation or fake news from “what appear to be trusted sources.”
The flaws reside in the way WhatsApp mobile application connects with the WhatsApp Web and decrypts end-to-end encrypted messages using the protobuf2 protocol.
The vulnerabilities could allow hackers to misuse the ‘quote’ feature in a WhatsApp group conversation to change the identity of the sender, or alter the content of someone else’s reply to a group chat, or even send private messages to one of the group participants (but invisible to other members) disguised as a group message for all.
In an example, the researchers were able to change a WhatsApp chat entry that said “Great!”—sent by one member of a group—to read “I’m going to die, in a hospital right now!”
It should be noted that the reported vulnerabilities do not allow a third person to intercept or modify end-to-end encrypted WhatsApp messages, but instead, the flaws could be exploited only by malicious users who are already part of group conversations.
Video Demonstration — How to Modify WhatsApp Chats.
To exploit these vulnerabilities, the CheckPoint researchers—Dikla Barda, Roman Zaikin, and Oded Vanunu—created a new custom extension for the popular web application security software Burp Suite, allowing them to easily intercept and modify sent and received encrypted messages on their WhatsApp Web.
The tool, which they named “WhatsApp Protocol Decryption Burp Tool,” is available for free on Github, and first requires an attacker to input its private and public keys, which can be obtained easily “obtained from the key generation phase from WhatsApp Web before the QR code is generated,” as explained by the trio in a blog post.
“By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues.”
In the above-shown YouTube video, researchers demonstrated the three different techniques they have developed, which allowed them to.
If you enjoy our article, sign up to get our next article in your inbox.
You need to confirm your subscription by clicking on the link sent to you. You can check the spam folder for it. Add us to your mailing list to receive directly from us. Thanks.
PS: Click on the link below to sign up for my Online E-Course CRM Training. Make sure you confirm your subscription by clicking on the link sent to you. Thanks.