Vulnerabilities WhatsApp, which allows to change someone else's posts
Over 1.5 billion people in over 180 countries use WhatsApp, a Facebook-based messaging app. The average user checks WhatsApp more than 23 times a day. And the number of app users in the US is projected to increase to 25.6 million by 2021.
Given how much everyone is chatting there, the potential for online fraud, rumors, and fake news is huge. Attackers have additional weapons in their arsenal that allow them to use the messaging platform for their evil plans.
At the end of 2018, Check Point Research notified WhatsApp of new vulnerabilities in the application that would allow attackers to intercept and process messages sent both in private and in group conversations, making it possible to create and disseminate misinformation from seemingly trusted sources.
The Check Point Research team discovered three possible attacks that exploit this vulnerability, each of which includes social engineering tactics to trick end users. An attacker can:
- Use the quote function in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Change the text of someone’s response, essentially speaking for another person.
- Send a private message, disguised as a message for all chat participants, to a specific member of the group, so when this “victim” answers, her response becomes visible to everyone in the conversation.
WhatsApp fixed the 3rd vulnerability. But Check Point Research found that it was still possible to manipulate quoted messages and spread misinformation from seemingly reliable sources.
Following the rules of Responsible Disclosure, Check Point Research informed WhatsApp of its findings. From the point of view of Check Point Research, these vulnerabilities are of great importance and require attention.
To demonstrate the severity of this vulnerability in WhatsApp, a tool was created that allows you to decrypt WhatsApp communication and fake messages.
As you know, the messenger encrypts every message you send, image, call, video or any other type of content so that only the recipient can see it. WhatsApp is not able to view these messages.
These encryption processes attracted attention, and Check Point Research decided to try changing the WhatsApp algorithm to decrypt the data. Indeed, after deciphering the communication of WhatsApp, it was discovered that WhatsApp uses the “ protobuf2 protocol ” for this .
By converting the protobuf2 data to Json, Check Point Research was able to see the actual parameters sent and manipulate them to verify the safety of WhatsApp.
The result of the research by Check Point Research is the extension of Burp Suite and three attack methods (the third vulnerability has been fixed, so two attacks will be described in the article).
However, to start the attack, you first need to get the private and public session key and fill in the appropriate fields in the burpsuit extension.
PReceiving keys
Keys can be obtained at the key generation stage in WhatsApp Web before creating a QR code:
After these keys have been taken, you need to select the “secret” parameter, which is sent by the mobile phone to WhatsApp Web while the user scans the QR code:
As a result, the extension will look like this:
After clicking “Connect”, the extension connects to the local expansion server, which performs all the necessary tasks.
MManipulation WhatsApp
Having decrypted the WhatsApp connection, Check Point Research was able to see all the parameters that are actually transferred between the WhatsApp mobile version and the web version. This made it possible to manipulate them and start looking for security problems.
This led to the fact that many types of attacks were carried out, described below.
AAttack 1. Change the identity of the sender in a group chat, even if he is not a member of the group
In this attack, it is possible to fake a response message to impersonate another member of the group and even a non-existent member of the group, for example, “Mickey Mouse”.
To impersonate someone from the group, an attacker only needs to intercept encrypted traffic:
After capturing traffic, it can simply send it to an extension, which then decrypts the traffic:
Key parameters:
- conversation - content that is sent;
- participant - the participant who sent the content;
- fromMe - this parameter indicates whether I sent data or someone else in the group;
- remoteJid - this parameter indicates to which group or contact data is being sent;
- id - data identifier. The same identifier will appear in the telephone databases.
And at that moment interesting things begin to happen ...
For example, you can change the message to something else. For example, a message with the content “Great!” Sent by a group member can be changed to something else, for example: “I'm going to die, in a hospital right now!”, And the participant’s parameter can also be changed to someone something else from the group:
Please note that the identifier needs to be changed to something else, because it appeared in the database since the message was sent.
In order for everyone to see the new fake message, the attacker needs to reply to the message that he forged by quoting and modifying this message (“Great”) so that it is sent to everyone in the group.
As you can see in the screenshot below, a new group was created where no one had written messages yet, and using the method described above, a fake answer was created.
The participant parameter can be the text or phone number of a person who is not in the group, which will make everyone in the group believe that it is really sent by this participant.
For example:
The result will be as follows:
This will again be sent to everyone in the group, as before.
AAttack 2. Changing the text of someone’s response
In this attack, an attacker can manipulate the chat by sending messages to himself on behalf of another person, as if it came from him. Thus, one could blame the person or conclude a fraudulent transaction.
To fake a message, you need to change the fromMe parameter in it, which indicates who sent the message in a private chat.
This time, an outgoing message was received from WhatsApp Web before it was sent to Burp Suite. To do this, set a breakpoint on the aesCbcEncrypt function and get the data from the “a” parameter:
This data was then copied to Burp Suite and the outbound direction selected. When you click on "Decrypt", the extension will decrypt the data:
After changing it to false and reverse encryption, the following result was obtained:
Then you need to change the “a” parameter in the browser, and the result will be a push notification with the contents. Thus, you can even replace the entire chat.
And then the dialogue will look like this:
InConclusion
Another situation that demonstrates that it is worth paying attention to seemingly even the most trusted sources of information on the Internet. After all, WhatsApp has not fixed the last two vulnerabilities, which are quite simple to implement.
Commentaires