Flaws allows malicious users to modify content
Enterprise network security specialists report that the popular instant messaging app WhatsApp has been affected by multiple security vulnerabilities that could allow malicious users to intercept and modify the content of messages sent in both private and group chats.
Discovered by Israeli enterprise network security experts, the vulnerabilities take advantage of a loophole in WhatsApp security protocols to change the content of the messages, allowing the malicious users to create and to spread fake information or malicious content that appears to come from reliable sources. Vulnerabilities reside in how the WhatsApp mobile app connects to WhatsApp Web and deciphers end-to-end encrypted messages.
These flaws could allow hackers to use the ‘quote’ feature in a WhatsApp group conversation to change the identity of the sender or alter the content of another person’s response to a group chat, or even send private messages to any of a group participants (being invisible to other members) disguised as a message to all group participants.
For example, enterprise network security investigators were able to change a WhatsApp chat entry that said “Great!”, sent by a member of a group, for others to read “I’m going to die, I’m in a hospital right now!”
It should be noted that the vulnerabilities reported do not allow third parties to intercept or modify the messages of WhatsApp, but could be exploited only by malicious users who are part of a WhatsApp group chat.
To exploit these vulnerabilities, enterprise network security experts created a new custom extension for the popular security software for web applications Burp Suite, enabling them to easily intercept and modify encrypted messages sent and received via WhatsApp Web.
This tool, which they called “WhatsApp Protocol Decryption Burp Tool”, is available for free on GitHub, and requires attackers to enter their private and public keys, which can be easily obtained from the key generation phase of WhatsApp Web before it generates the QR code.
Enterprise network security experts described the three different variants of the hack:
- Change the response of a message: using the Burp Suite extension, a malicious WhatsApp user can alter the content of other users’ responses, putting in their mouth words they never really said.
- Change the identity of the sender of a message in a group chat: The attack allows malicious users to exploit the ‘quote’ function – which allows responding to a past message by tagging it – to create a fake answer, posing as someone else, even someone who is not in the group chat.
- Send a private message in a group chat, but when the recipient replies, the whole group sees it: the third attack allows a malicious user to send a specially designed message that only a specific person will be able to see. If the selected person responds to the message, his/her answer will be shown to everyone in the group.
The vulnerabilities will remain unpatched
Enterprise network security investigators reported failures to WhatsApp security team, but the company argued that since these messages do not compromise end-to-end encryption, users will always have the option of blocking a sender who tries to spoof messages and report such behaviors.
Since WhatsApp has become one of the most important tools to spread fake news and misinformation, at least in countries with a volatile political environment, specialists in enterprise network security believe that WhatsApp should solve these problems, in addition to the massive messages forwarding.