Check Point Research says that it found three different ways to exploit the vulnerability, including the ability to put words in your mouth…
The research team said that there are two different ways of making it appear you said something you didn’t.
A threat actor may:
- Use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Alter the text of someone else’s reply, essentially putting words in their mouth.
In the first case, something written by someone else could be changed to appear that it was written by you. In the second, something you did write can be freely edited when quoted by anyone else in the chat. The original text would remain unchanged, but anyone viewing the quoted text would see the doctored version. You can see this one demonstrated in the video below.
Additionally, Check Point found a way to fool you into mixing up public and private messages. Facebook was able to fix that one, but, worryingly, the company says it isn’t practical to fix the other two WhatsApp security flaws, even though it was told about them a year ago.
The problem is that WhatsApp uses end-to-end encryption. The vulnerability relies on the fact that a participant in the group can, of course, access the decrypted version of the messages. However, Facebook cannot, so says it is unable to intervene in this kind of within-chat attack.
TNW explains how the attack works.
The researchers exploited the web version of WhatsApp that allows users to pair their phone using a QR code.
By obtaining the private and public key pair created before a QR code is generated, and the “secret” parameter that is sent by the mobile phone to WhatsApp Web while the user scans the QR code, the extension makes it easy to monitor and decrypt communications on the fly […]
Once the web traffic — containing details like participant details, the actual conversation, and a unique ID — is captured, the researchers said the flaws allowed them to spoof message replies, alter message content, and even “manipulate the chat by sending a message back to the sender on behalf of the other person, as if it had come from them.”
The risks of real-life exploitation will be low for most people. However, the more people in a chat, the greater the risk, so biggest threat here are large groups where the approach could be used to disseminate disinformation which would then be forwarded by other people.
An upcoming change in iOS 13 will limit what messaging apps like WhatsApp can do while running in background mode, but wouldn’t have any impact on this issue.