WhatsApp bills itself as a free and secure messaging application with end-to-end encryption and cross platform support, all of which have made it a popular option. However, it may not be as secure as advertised. Vulnerabilities that were disclosed last year have still not been addressed, and if abused, could allow an attacker to spoof messages.
Researchers at Checkpoint disclosed the a trio of attack vectors last year, explaining that they could enable a hacker to change a user's messages, change a sender's identity, and make private messages viewable to the public. One of those has been addressed, but two of the attack vectors still remain, as researchers recently demonstrated at the Black Hat USA 2019 conference in Las Vegas.
"WhatsApp end-to-end encryption ensures that only you and the person you’re communicating with can read what’s sent, and nobody in between, not even WhatsApp. However, we managed to reverse-engineer WhatsApp web source code and successfully decrypted WhatsApp traffic," Checkpoint researchers Roman Zaikin and Oded Vanunu said.
The researchers manipulated the encryption scheme that WhatsApp uses, converting the "protobuf2" protocol to Json. This allowed them to see what was going on underneath the hood, and opened the door to messaging shenanigans. One of the things this makes possible is altering the text of a user's reply, "essentially putting worlds in their mouth."
"During the process we unveiled new vulnerabilities that could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers immense power to create and spread misinformation from what appear to be trusted sources," the researchers added.
WhatsApp got scooped up by Facebook in 2014 for $19 billion. The messaging platform boasts over 1 billion users in over 180 countries, which makes these kinds of vulnerabilities all the more worrisome. Hopefully the attention this is receiving will prompt Facebook to finally fix the remaining security flaws.
After posting this article, a Facebook reached out to HotHardware with a comment.
“We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private—such as storing information about the origin of messages," a Facebook spokesperson said.
Facebook also said that end-to-end encryption remains safe, and that when someone replies to a message, the WhatsApp client copies the text available within the app and creates a kind of graphical representation that helps people follow the conversation.
According to Facebook, making the changes that Checkpoint suggests would result in the following:
- Require WhatsApp to log all messages, which we do not want to do for the privacy of our users; or
- Make it impossible to deliver messages to groups when a single person was not connected to the internet (i.e. while on a plane), which would have serious usability problems; or
- Prevent the ability for users to quote reply a message sent prior to a new group member joining, which would also have problems.
- People always have the option of blocking a sender who tries to spoof messages and they can report problematic content to us. We also work to ban accounts trying to change WhatsApp and use it to spam users.
- In summary: WhatsApp’s main goal is to ensure user privacy, and Checkpoint’s suggested changes to WhatsApp would be worse for user privacy.