To exploit these vulnerabilities, the CheckPoint researchers—Dikla Barda, Roman Zaikin, and Oded Vanunu—created a new custom extension for the popular web application security software Burp Suite, allowing them to easily intercept and modify sent and received encrypted messages on their WhatsApp Web.
The tool, which they named "WhatsApp Protocol Decryption Burp Tool," is available for free on Github, and first requires an attacker to input its private and public keys, which can be obtained easily "obtained from the key generation phase from WhatsApp Web before the QR code is generated," as explained by the trio in a blog post.
"By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues."
In the above-shown YouTube video, researchers demonstrated the three different techniques they have developed, which allowed them to:
Using the Burp Suite extension, a malicious WhatsApp user can alter the content of someone else's reply, essentially putting words in their mouth, as shown in the video.
The attack allows a malicious user in a WhatsApp group to exploit the 'quote' feature—that lets users reply to a past message within a chat by tagging it—in a conversation to spoof a reply message to impersonate another group member and even a non-existing group member.
The third WhatsApp attack allows a malicious group user to send a specially crafted message that only a specific person will be able to see. If the targeted individual responds to the same message, only then its content will get displayed to everyone in the group.
The trio reported the flaws to the WhatsApp security team, but the company argued that since these messages do not break the fundamental functionality of the end-to-end encryption, users "always have the option of blocking a sender who tries to spoof messages and they can report problematic content to us."
"These are known design trade-offs that have been previously raised in public, including by Signal in a 2014 blog post, and we do not intend to make any change to WhatsApp at this time," WhatsApp security team replied to the researchers.
Another argument WhatsApp shared with researchers, in context of why the company can not stop the modification of the message content—"This is a known edge case that relates to the fact that we do not store messages on our servers and do not have a single source of truth for these messages."
"My point was the misinformation, and WhatsApp plays a vital role in our day activity. So, In my point of view they indeed have to fix these issues," CheckPoint researcher Roman Zaikin said.
"It's always functionality vs. security, and this time WhatsApp choose functionality."
Since WhatsApp has become one of the biggest tools to spread fake news and misinformation, at least in countries with highly volatile political issues, we believe WhatsApp should fix these problems along with putting limits on the forwarded messages.
With Halloween fast approaching, young children, will be heading out across neighborhoods in the world, to trick or treat, dressed as their favorite c
Out of those 30 million accounts, hackers successfully accessed personal information from 29 million Facebook users, though the company assured that t
As it turns out, even when you opt to limit Google's ability to track your location when using its search function or apps, some of your time-stam
WhatsApp, the most popular messaging application in the world, has been found vulnerable to multiple security vulnerabilities that could allow malicio
Besides Timehop, another data breach was discovered last week that affects users of one of the largest web hosting companies in Germany, DomainFa
Digitally signed malware has become much more common in recent years to mask malicious intentions. Security researchers have discovered a new ma