WhatsApp’s end-to-end encryption is only secure if you don’t have the encryption keys. But researchers at Check Point Research developed a method of discovering the encryption keys, a produced a tool to manipulate messages.
The researchers discovered that WhatsApp uses the protobuf2 protocol in its communication. By converting the protobuf2 data to Json, it was able to see the parameters being sent — which in turn led them to develop a Burp Suite Extension. They combined this with the ability to extract the keys from the key generation phase from WhatsApp Web before the QR code is sent. The keys allowed them to see the messages, and their extension tool enabled them to manipulate the parameters. From the process, Check Point discovered three vulnerabilities in WhatsApp that were reported to the vendor — only one of which was fixed.
The researchers subsequently returned to WhatsApp and discovered an additional, and more disruptive vulnerability: the ability to crash all phones engaged in a group chat. It is not merely a crash, but a crash loop that loses the current group chat and prevents WhatsApp operating at all without a reinstall. Since WhatsApp messages are encrypted end-to-end and there is no record kept on servers, the content is potentially irretrievable.
The flaw in WhatsApp is simple — all the hard work has already been done in developing the Burp Suite Extension. There were four phases in discovering it. First, using Chrome’s DevTools on the WhatsApp Web to set breakpoints to obtain the encryption keys during the login process. Second, obtaining the ‘secret’ parameter passing through the Burp Suite Web Socket tab after the QR is scanned. Third, starting a local python server which waits for a connection, decrypts it and sends it to the Burp Suite Decryption Tool in clear text.
Finally, both public and private keys and the ‘secret’ parameter are used within the Extension to connect to the Python server — allowing the researchers to decrypt and modify messages as they wish.
Using this process, the researchers discovered a flaw in the way WhatsApp determines each user in a group chat — their phone number. Their extension tool allows them to access and alter the number. “So, in order to exploit this bug,” explain the researchers, “we would need to replace the participant’s parameter from the sender phone number to any non-digit character(s) e.g. ‘c@s.whatsapp.net’.”
By providing an alpha character where the system expects a number, say the researchers, “The bug will crash the app and it will continue to crash even after we reopen WhatsApp, resulting in a crash loop. Moreover, the user will not be able to return to the group and all the data that was written and shared in the group is now gone for good. The group cannot be restored after the crash has happened and will have to be deleted in order to stop the crash.”
WhatsApp has more than 1.5 billion users in 180 countries. The number in the U.S. is expected to grow to 86 million by 2023. Most of the users are private individuals, but companies also use the service for confidential or sensitive communication. The potential for irretrievably losing the content of such a conversation could be more than an irritation.
Check Point Research reported the issue to WhatsApp on August 28, 2019, and it was fixed in version 2.19.246 and onwards in mid-September. “WhatsApp responded quickly and responsibly to deploy the mitigation against exploitation of this vulnerability,” said Check Point’s head of product vulnerability research, Oded Vanunu.
In a statement, WhatsApp Software Engineer Ehren Kret said, “WhatsApp greatly values the work of the technology community to help us maintain strong security for our users globally. Thanks to the responsible submission from Check Point to our bug bounty program, we quickly resolved this issue for all WhatsApp apps in mid-September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties all together.”
It is worth considering that, if GCHQ’s proposal to be allowed ‘ghost’ users on group chats were adopted, this flaw would allow the intelligence agency to intervene and close down a chat at will.
It remains important that all WhatsApp users make sure they have the latest version. “Because WhatsApp is one of the world’s leading communication channels for consumers, businesses and government agencies,” warned Vanunu, “the ability to stop people using WhatsApp and delete valuable information from group chats is a powerful weapon for bad actors. All WhatsApp users should update to the latest version of the app to protect themselves against this possible attack.”
Related: Hackers Can Manipulate Media Files Transferred via WhatsApp, Telegram
Related: Researchers Find Flaw in WhatsApp
Related: Bug Allows Bypass of WhatsApp Face ID, Touch ID Protection
Related: The Argument Against a Mobile Device Backdoor for Government