The recent controversy surrounding WhatsApp hacking, the most popular messaging platform in the world haven’t yet settled. Last month, WhatsApp was found secretly patched another important vulnerability in its application that could allow attackers to compromise the target’s devices remotely and potentially steal secure chat messages and files stored on them.
The vulnerability tracked as CVE-2019-11931 is a stack-based buffer overflow problem that was in the way WhatsApp's previous version parsed the base flow metadata from MP4 files, which resulted in denial of service attacks or remote code execution.
To exploit the vulnerability remotely, what the attacker needs is simply the phone number of the targeted user and sending them the malicious destroyer MP4 file via WhatsApp, which can eventually be programmed to install a dangerous backdoor application or spyware on a compromised device secretly.
The vulnerability affects consumers and corporate applications WhatsApp for all major platforms, including Google Android, Apple iOS, and Microsoft Windows.
According to the advisory, the list of affected application versions is as follows:
- Android versions before 2.19.274
- iOS versions before 2.19.100
- Enterprise Client versions before 2.25.3
- Windows Phone versions before and including 2.18.368
- Business for Android versions before 2.19.104
- Business for iOS versions before 2.19.100
The severity and impact of the vulnerability is similar to WhatsApp VoIP calls exploited by Israeli company NSO Group to install Pegasus spyware on nearly 1,400 Android and iOS devices targeted worldwide. The WhatsApp MP4 vulnerability came just two weeks after Facebook sued the NSO Group for abusing the WhatsApp service to target its users.
Meanwhile, to prevent our application to be the potential surveillance targets, we should pay more attention if we received unexpected random MP4 video files via WhatsApp from unknown amounts. If the files are suspicious, then we better not open the file and delete the message instantly.
Therefore, it is recommended for all users to ensure that they are running the latest version of WhatsApp on their device and disable automatic downloading of image, audio and video files from the application settings.
Responding the current WhatsApp issue, DNS team has an observation and found that there are three possible methods of exploit attack to this vulnerability, all of which involve social engineering tactics to fool end-users. A threat actor would:
- Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Alter the text of someone else’s reply, essentially putting words in their mouth.
- Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.
As we know, WhatsApp encrypts every message, picture, call, video and any other type of content you send so that only the recipient can see it. Here is the technical communication of WhatsApp group that conducted by another researcher.
Figure 1. Whatsapp Encrypted Chat
These encryption processes caught an attention and decided to try to reverse WhatsApp’s algorithm to decrypt the data. Indeed, after decrypting the WhatsApp communication they found that WhatsApp is using the “protobuf2 protocol” to do so.
By converting this protobuf2 data to Json they were able to see the actual parameters that are sent and manipulate protobuf2 in order to check WhatsApp’s security.
The outcome of the research is a Burp Suit Extension and Manipulation methods.
To start the manipulation, they first things they have to get are the private and public key of their session and fill it in burpsuit extension.
Accessing the Keys
This technique to access the key also conducted by researcher that we reproduce from some article. The keys can be obtained from key generation phase from WhatsApp Web before the QR code is generated as shown below :
Figure 2. Public and Private Key of the Communication
After they take these keys we need to take the “secret” parameter which is sent by the mobile phone to WhatsApp Web while the user scans the QR code:
Figure 3. The Secret Key from the WebSocket
As the result, their extension will look like below picture:
Figure 4. WhatsApp Decoder Burp Extension
After clicking “Connect” button, the extension will connect to the extension’s local server, which will perform all the tasks required for the extension.
By decrypting the WhatsApp communication, attacker could see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed them to manipulate them and start looking for security issues.
This resulted in us for being able to carry out variety of attack types, which are described as below.
Attack 1: Change the identity of a sender in a group chat, even if they are not a member of the group
In this attack, it is possible to spoof a reply message by impersonating a group member or even a non-existing group member, for example, ‘Mickey Mouse’.
To impersonate someone from the group, what the attackers need do is catch the encrypted traffic:
Figure 5. Encrypted WhatsApp Communication
Once the traffic is captured, they can simply send it to an extension which will then decrypt the traffic:
Figure 6. Decrypting the WhatsApp Message by Using Our Extension
The interesting parameters to note here are:
- conversation – The actual content which is sent.
- participant – The participant that actually sent the content.
- fromMe – This parameter indicates if I sent the data or someone else in the group.
- remoteJid – This parameter indicates to which group/contact the data is sent.
- id – The id of the data. The same id will appear in the phone databases.
Why we call it interesting? We will explain some points to show you how it happens.
For example, they can change the conversation to something else. The message with the content “Great!” sent by a member of a group, for instance, could be changed to something else like: “I’m going to die, in a hospital right now” and the participant parameter could also be changed to someone else from the group:
Figure 7. A Spoofed Reply Message
Note that they have to change the id to something else because it is already sent and appears in the database.
In order to make everyone see the new spoofed message, the attacker needs to reply to the message he spoofed, quoting, and changing that message (“Great”) and send it to everyone in the group.
As you can see in the below screenshot, they created a new group where no previous messages were sent, and by using the method from above they were able to create a fake reply.
Figure 8. The Original Conversation
The ‘participant’ parameter can also be a text or a phone number of someone that is not in the group, which would cause everyone in the group believe that the actual sender is from real participant.
Figure 9. Changing The Content Of The Message By Using Our Debugging Tools
The result will look like this:
This would again be sent to everyone in the group as before.
Figure 10. Reply to a Message That Sent From Someone Outside of The Group
As WhatsApp is constantly working to improve their security, it is recommended for all users to make sure they are running the latest version of WhatsApp on your device and disable auto-downloads feature of images, audio, and video files from the app settings.