Security researchers said they have detected a serious vulnerability in WhatsApp that led to group chat crash the moment a destructive message was introduced by the hackers in the chat, leading the entire group chat history being deleted forever.
Cybersecurity is a fast-evolving game of wits where hackers and defenders continue to outmanoeuvre one another. Attacks are not only rising in numbers, but also in quality. With technology becoming more sophisticated and disruption coming at every turn, cyber-attacks are becoming more persistent and complex. In 2020, you should be aware of the following trends in cybersecurity. On an average, 65 billion messages are sent on WhatsApp per day by over 1.5 Billion users globally .
The Facebook-owned messaging app issued a fix to resolve the issue which is available since WhatsApp version 2.19.58. Urging all users to update WhatsApp to the latest version, security researchers at global cybersecurity firm Check Point identified the flaw that would allow a bad actor to create a malicious group message to crash Facebook-owned WhatsApp on users’ devices.
A year after the previous WhatsApp research, the team was eager to dig back in and find new vulnerabilities in the app. We set up the WhatsApp Manipulation Tool and started testing new ways to manipulate WhatsApp protocol.
In this blog we will describe in detail the technique used in our testing where one can crash WhatsApp on multiple phones in a shared group.We will briefly go over how to set everything up so we can start the manipulation .
First, we need to browse to WhatsApp Web and open Chrome’s DevTools. We will need to set a few breakpoints in places where the encryption keys are generated and then obtain them during the login process.
Second, we need to get the “secret” parameter from the traffic passing through Burp Suite Web Socket tab after the QR is scanned. This parameter holds the necessary data required for the manipulation part which was explained in the previous blog post.
Third, we need to start the local python server (can be found in the GitHub project) which awaits a connection. Once the python server receives a message, it decrypts it (by using our encryption keys) and sends it back to the Burp Suite WhatsApp Manipulation Tool in clear text.
Lastly, both the private and public keys, and the “secret” parameter obtained in the preceding steps are used within the Burp Suite Extension to connect to the python server.
“Because WhatsApp is one of the world’s leading communication channels for consumers, businesses and government agencies, the ability to stop people using WhatsApp and delete valuable information from group chats is a powerful weapon for bad actors,” said Oded Vanunu, Check Point’s Head of Product Vulnerability Research. “All WhatsApp users should update to the latest version of the app to protect themselves against this possible attack,” Vanunu added.
Some of the latest news regarding WhatsApp vulnerabilities are relating to a manipulation of the WhatsApp protocol using a tool built by Check Point Research in order to validate WhatsApp security without jeopardizing WhatsApp end to end encryption. This tool allows a user to modify WhatsApp messages before being sent and change the general parameters, such as participant’s phone number.
Check Point Research disclosed its findings to the WhatsApp bug bounty programme in August this year. WhatsApp acknowledged the findings and developed a fix to resolve the issue which users should manually apply on their devices.
“WhatsApp responded quickly and responsibly to deploy the mitigation against exploitation of this vulnerability,” said Vanunu.
The Check Point Research team found the vulnerability by inspecting the communications between WhatsApp and WhatsApp Web, the web version of the app which mirrors all messages sent and received from the user’s phone. This enabled researchers to see the parameters used for WhatsApp communications and manipulate them.
Security awareness will remain key in patching up the vulnerabilities in organizations. Developing a security focused culture and empowering employees against attacks can significantly drive innovation against cyber-attacks.
