WhatsApp Protocol Decryption for Chat Manipulation and More
WhatsApp, the Facebook-owned messaging application has over 1.5 billion users in over 180 countries. The average user checks WhatsApp more than 23 times per day and the number of WhatsApp users in USA is predicted to grow to 25.6 million by 2021.
Given all the chatter, the potential for online scams, rumours and fake news is huge. Threat actors have an additional weapon in their arsenal to leverage the messaging platform for their malicious intentions.
Towards the end of 2018, Check Point Research notified WhatsApp about new vulnerabilities in the popular messaging application that would enable threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers the power to create and spread misinformation from what appear to be trusted sources.
The Check Point Research team observed three possible methods of attack exploiting this vulnerability – all of which involve social engineering tactics to fool end-users. A threat actor may:
- Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Alter the text of someone else’s reply, essentially putting words in their mouth.
- Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation.
WhatsApp fixed the 3rd vulnerability which enabled threat actors to send a private message to another group participant disguised as a public message for all. But, we found that it is still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources.
Following the process of Responsible Disclosure, Check Point Research informed WhatsApp of its findings. From Check Point Research’s perspective, we believe these vulnerabilities to be of the utmost importance and require attention.
To demonstrate the severity of this vulnerability in WhatsApp, we created a tool that allows us to decrypt WhatsApp communication and spoof the messages.
WhatsApp encrypts every message, picture, call, video or any other type of content you send so that only the recipient can see it. WhatsApp does not have the ability to view these messages. These encryption processes caught our attention, and we decided to try to reverse the WhatsApp’s algorithm to decrypt the data. Indeed, after decrypting the WhatsApp communication, we found that WhatsApp is using the “protobuf2 protocol” to do so.
By converting this protobuf2 data to Json we were able to see the actual parameters that are sent and manipulate them in order to check WhatsApp’s security. The outcome of our research is a Burp Suit Extension and 3 Manipulation methods (the 3rd one was fixed our we disclosure the vulnerability to WhatsApp)
To start the manipulation, though, we first have to get the private and public key of our session and fill it in our burpsuit extension.
Accessing the Keys
The keys can be obtained from the key generation phase from WhatsApp Web before the QR code is generated. After we take these keys, we need to take the “secret” parameter which is sent by the mobile phone to WhatsApp Web while the user scans the QR code. After clicking on “Connect”, the extension connects to the extension’s local server, which performs all the tasks required for the extension.
By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This enabled us to then manipulate them and start looking for security issues.
Attack 1: Change the Identity of a Sender in a Group Chat, Even If They Are Not a Member of the Group
In this attack, it is possible to spoof a reply message to impersonate another group member and even a non-existing group member, for example, ‘Mickey Mouse’.
To impersonate someone from the group, all the attacker need do is catch the encrypted traffic. Once the traffic is captured, he can simply send it to an extension which will then decrypt the traffic.
The interesting parameters to note here are:
- conversation – This is the actual content which is sent.
- participant – This is the participant that actually sent the content.
- fromMe – This parameter indicates if I sent the data or someone else in the group did.
- remoteJid – This parameter indicates to which group/contact the data is sent.
- id – The id of the data. The same id will appear in phone databases.
And this is the point where interesting things begin to happen…
For example, we can change the conversation to something else. The message with the content “Great!” sent by a member of a group, for instance, could be changed to something else like: “I’m going to die in a hospital right now” and the participant parameter could also be changed to someone else from the group:
Note that we have to change the id to something else because it is already sent and appears in the database.
In order to make everyone see the new spoofed message the attacker needs to reply to the message he spoofed, quoting and changing that message (“Great”) in order for it be sent to everyone in the group. As you can see in the below screenshot, we created a new group where no previous messages were sent, and by using the method from above we were able to create a fake reply.
The ‘participant’ parameter can also be a text or a phone number of someone that is not in the group, which would cause everyone in the group to believe that it is actually sent from this participant
…and the results will look like this
This would again be sent to everyone in the group as before.
Attack 2: Changing a Correspondent’s Reply To Put Words in Their Mouth
In this attack, the attacker is able to manipulate the chat by sending a message back to himself on behalf of the other person, as if it had come from them. By doing so, it would be possible to incriminate a person, or close a fraudulent deal, for example.
In order to spoof the messages, we have to manipulate the ‘fromMe’ parameter in the message, which indicates who sent the message in the personal chat.
This time we will capture the outgoing message from WhatsApp Web before it is even sent to our Burp Suite. In order to do that, we can put a break point on the aesCbcEncrypt function and take the data from the ‘a’ parameter. We will then copy this data to our Burp extension and select the outgoing direction. By pressing on “Decrypt”, our extension will decrypt the data.
After changing it to false and encrypting it back, we have to then modify the ‘a’ parameter in our browser, and the result will be a push notification with the content. In this way, it is even possible to spoof the entire chat.