A noteworthy WhatsApp vulnerability allows malicious users to infiltrate group chats and manipulate the messages of individual users. The hackers can take advantage of the malware method and abuse it to intercept and change contents of messages sent in private conversations or large group chats.
Vector Attribution: FreePik
Hackers Can Manipulate Group Chats Via WhatsApp Vulnerability
The WhatsApp messenger client has been plagued by security bugs for quite some time, one of the recent issues has been the cause of concern to security experts. It appears that due to multiple weaknesses hackers can take advantage of the chats — both private ones and in groups. This particular weakness may be a follow-up to the bugs discovered in the app back in January this year.
The criminals abuse the quote feature used in group conversations in order to cause a multitude of malware actions:
- The hackers can change the identity of the senders of a specified message.
- A contents of someone’s reply can be modified.
- A private message can be sent to a specific group participant disguised as a group message.
The security researchers note that the vulnerability does not allow a third person to intercept or change the sent messages. As such the malware changes can only be exploited by users that are part of a group. The bugs can be exploited using various approaches, the proof-of-concept model uses a custom extension for a popular web security software (Burp Suite) which was used for demonstration purposes. The findings showcase that using this method the attackers have the ability to intercept and modify the encrypted messages using the Whatsapp Web interface.
The tool is available for free on GitHub at the moment and it can be used when the associated public and private keys are obtained. They can be extracted during the key generation phase used by the WhatsApp Web interface before the QR code has been generated.
Three distinct attack scenarios have been demonstrated:
- Changing a User’s Reply — The attacking platform can modify the message of a given user.
- Identity Change — By exploiting the “quote” function the hackers can spoof message thereby impersonating both existing or non-existing group members in a conversation.
- Private Messages — The third demonstrationshows how a hacker can send a crafted message that only a single user can view.
These attacks showcase that there is a fundamental issue with the program — the hackers can exploit the messages sent via WhatsApp without breaking the end-to-end encryption. It is very possible that the vulnerability can be leveraged to spread fake news and phishing attacks.
The response coming in from the WhatsApp security team is that this is not a problem with the application itself. They present the argument that this is a design trade-off. The users can always block the sender of spoofed messages and report the instances to the team. Another argument is that the messages are not stored on the server — there is no single source of truth for the sent messages.