UPDATED with comment from Facebook.
LAS VEGAS -- WhatsApp encryption is basically unbreakable. But it's still possible to alter outgoing WhatsApp communications to fool, swindle or otherwise trick people with real-seeming fake messages -- especially if the messages seem to come from other people.
WhatsApp messages can be manipulated to add fake quotations from other WhatsApp users, to alter the quoted text of real replies, and to send secret messages to individuals within group chats, two Israeli researchers revealed Wednesday (Aug. 7) at the Black Hat conference here.
"Why is this important?" Check Point researcher Oded Vanunu asked the crowd. "WhatsApp is not just an application. It's an infrastructure of 1.5 billion users."
Vanunu and fellow Check Point researcher Roman Zaikin said that attackers could use altered WhatsApp messages to trick people into making bad decisions -- or worse. They ran a live demonstration in which "SpongeBob SquarePants" character Patrick Star appeared to confess to killing SpongeBob, after one participant in a group chat altered the text of a message that quoted Patrick's initial denial.
Unfortunately, these problems aren't going away. Facebook, WhatsApp's owner, managed to patch one flaw that let you send a private one-on-one message to a specific individual within the context of a group chat. But the Check Point researchers said Facebook told them it could not fix the manipulation of the quote function in WhatsApp because of the limitations imposed by WhatsApp's end-to-end encryption.
For the time being, you're going to have to regard message quoted second-hand in other people's messages with suspicion. Thanks to the work these Israeli researchers have done, you can't trust quoted messages in WhatsApp anymore.
How the hack works
None of these messages are being intercepted or modified after they are sent from one WhatsApp user to another. Instead, they're altered by a third-party piece of software before they're sent from the user's device -- in the researchers' case, a Windows PC running the WhatsApp Windows client software.
The Check Point researchers reverse-engineered the methods by which the WhatsApp application generates encryption keys. They then created an extension for BurpSuite, a common network-traffic-interception tool used by security researchers, so that BurpSuite could access, decrypt and re-encrypt messages in the WhatsApp desktop software before the messages were sent.
Using the BurpSuite extension, the researchers could capture a WhatsApp message before it was sent and manipulate the structure and formats of the messages. They could change to whom the messages were sent, or to whom the messages were attributed. They could attribute quoted previous WhatsApp messages to the wrong users, alter the text of quoted messages or change the format of messages in group chats so that the messages went to only a single user instead of to the entire group.
In one example combining their attacks, the researchers simulated a WhatsApp group chat among three individuals: a real estate broker, a property buyer and a property seller.
The buyer is the malicious actor, and he uses the misquoted attack to undercut the seller's own price, deceptively "quoting" the seller as agreeing to a lower price. The buyer then uses another flaw to send a private message to the seller asking both buyer and seller to agree on a price, and swaps out the message-originating ID so that the message seems to be coming from the broker instead of the seller.
The seller, thinking he's responding to the broker in a group chat, says "OK." The OK shows up in the group chat, but the question preceding it does not. To the broker and the buyer, it appears the seller has agreed to the new, lower price when in fact the seller has not.
Again, the private-message-within-group-chat flaw has been fixed. But the Check Point team was a bit surprised to learn that the quotation-manipulation flaws were not.
"So should we keep this information to ourselves?" Vanunu said. "No, we can't. It's a big privacy risk."
UPDATE: Facebook responded with a statement, in full:
"We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn't write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private -- such as storing information about the origin of messages."
