Andrea Danti - Fotolia

How did WhatsApp vulnerabilities get around encryption?

WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work and how to prevent them.

Check Point researchers discovered WhatsApp vulnerabilities that can enable threat actors to get around the app's end-to-end encryption and intercept, and even manipulate, messages. How do these attacks work?

At the top of every WhatsApp chat, there is a message that either says, "Messages to this chat and calls are now secured with end-to-end encryption," or, if it's a group chat, "Messages to this group are now secured with end-to-end encryption." This assertion is true, and not even employees of WhatsApp Inc. or someone sniffing the network has the ability to view users' messages thanks to the end-to-end encryption the company implemented in 2016.

However, researchers at Check Point Research found three WhatsApp vulnerabilities enabling users to intercept and manipulate messages in private and group chats. Because these WhatsApp vulnerabilities provide a way for hackers to modify messages, launch online scams, and spread rumors and fake news from what appear to be trusted sources, it has been called FakesApp.

With end-to-end encryption, messages are encrypted by the sender and can only be decrypted by the intended recipient, preventing messages from being read or modified by anyone other than the true sender and recipient. The point at which this happens provided Check Point with the opportunity to reverse the encryption process and then locally decrypt the network requests to determine how WhatsApp messaging works.

These WhatsApp vulnerabilities are caused by the way the WhatsApp mobile app uses a QR code to log a user into the WhatsApp web app, which is called WhatsApp Web. After carefully studying the message encryption process, the Check Point researchers discovered that the keys that are used to encrypt and decrypt messages can be obtained during the key generation phase from WhatsApp Web before the QR code is generated. The secret parameter sent by the mobile phone to WhatsApp Web when the user scans the QR code can also be captured.

To automate these tasks, the researchers created an extension of the web application security tool Burp Suite. Their WhatsApp Protocol Decryption Burp Tool is available for free on GitHub.

With this information, the researchers were able to easily intercept and modify sent and received encrypted messages on their WhatsApp web app, yielding three types of attack:

  1. Changing the identity of a sender in a group chat -- even if they are not a member of the group.
  2. Changing a correspondent's reply.
  3. Sending a private message in a chat group -- but when the recipient replies, the whole group sees it.

These attacks can be combined with social engineering by a malicious user who is already part of a group conversation to impersonate another group member and attribute different words to a person than what they actually wrote, or to trick someone into revealing information to the group that they may otherwise not want them to know.

WhatsApp has responded to the disclosed report by saying that this vulnerability has nothing to do with its end-to-end encryption, but with the design framework of the app. The company has also said users always have the option of blocking a sender who tries to spoof messages or they can report problematic content to WhatsApp.

WhatsApp has said, "This is a known edge case that relates to the fact that we do not store messages on our servers and do not have a single source of truth for these messages," which is why it cannot prevent the modification of the message content.

Users -- and certainly enterprises that allow the use of WhatsApp Web -- should be aware of these WhatsApp vulnerabilities and assess whether its functionality is worth the risk to security.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing