back to article WhatsApp security snafu allows sneaky 'message manipulation'

Researchers claim to have uncovered weaknesses in WhatsApp that can be exploited to manipulate messages in private and group conversations. Eggheads at Israeli security firm Check Point this week described how, with some social engineering trickery and custom extensions for popular network-packet-twiddling toolkit Burp Suite, …

  1. nuked

    Is this new? - I thought there was some stuff in January of these flaws.

    1. Charlie Clark Silver badge

      Checkpoint pimping for business again.

      1. Anonymous Coward
        Anonymous Coward

        Case law...?

        Everyone is pimping for business.

        It is useful because it does at least 2 things:

        1. Raises public perception that security is hard and not to trust the app developers

        2. CP are speding _their_ money trying to keep us all secure

        Side effect is that it might make consumers afraid to use technology, but is that more or less frightening than people blindly adopting new stuff...

        1. Stevie

          Re: Case law...?

          User: So this app is insecure? I must stop usi ... AWW! Lookit the kittens!

  2. Arthur the cat Silver badge

    Various factions of MPs use WhatsApp groups for plotting organising. I'm sure much fun could be had using this attack.

    1. Anonymous Coward
      Anonymous Coward

      " I'm sure much fun could be had using this attack."

      You are sure it isn't being done to politicians' messages already? It could explain a lot. Does it work for Twitter?

  3. Anonymous Coward
    Anonymous Coward

    Checkpoint uncovered Zuckerberg's plans to pry open WhatsApp messages

    That why both WhatsApp founders left abruptly recently....

  4. frank ly

    No privacy for the public

    "3. send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation."

    Should this be "send what is really a public message that is disguised as a private message, etc"

    1. Tom Sparrow

      Re: No privacy for the public

      I think the original way round is correct - for example it would allow you to provoke someone in what they think is a group message but is actually private. When they reply with abuse to you, it looks like to the rest of the group as if it's come out of the blue.

      Or possibly, ask them to share information with the group that they shouldn't so they get the blame instead of you.

      All of these require you to be a member of the group in the first place though, as far as I can see. If you invite the FBI into your group chat, you've really only got yourself to blame.

    2. Anonymous Coward
      Anonymous Coward

      Re: No privacy for the public

      The way the WhatApp protocol works for group chats is that the sending client encrypts the message being sent individually for each member of the group, marks that message as part of a group chat and sends every copy of the message to whatsapp for dissemination,

      So group chat messages are actually private messages being "disguised" as a group message.

  5. Gnosis_Carmot

    How long?

    So how long have the NSA, FBI, and CIA been using this one?

    1. Waseem Alkurdi

      Re: How long?

      This particular hack is too impractical to be three-letter-agency stuff.

  6. Anonymous Coward
    Anonymous Coward

    Whatsapp is used a lot by doctors in hospitals

    Just saying.

    Data on it never ends up in the medical record either, so all of those clinicians are leaving themselves open to law suits down the road when they can't remember why certain medical procedures were carried out and who authorised them etc.

    It's one of the reasons some hospitals are starting to make mobile access tricky and banning staff carrying them on duty.. plus they are an infection control risk..

    1. Stevie

      Re: plus they are an infection control risk..

      Not if they run Malwarebytes, surely?

  7. GarethWright.com

    Github

    Here's the link you all really want...

    https://github.com/romanzaikin/BurpExtension-WhatsApp-Decryption-CheckPoint

  8. Anonymous South African Coward Bronze badge

    And some banks already allow banking by whatsapp.

    Going to be interesting.

    1. Stevie

      And some banks already allow banking by whatsapp.

      They do?

      Are they real banks or the ones run by Nigerian Princes in Exile?

  9. amanfromMars 1 Silver badge

    That's Just ITs Giant First Baby Steps

    The white hat hackers said they'd found it was possible to fake messages and sow the seeds of all sorts of confusion. All the techniques involve social engineering tactics to hoodwink end users, as explained at some length in a blog post by Check Point here.

    Whenever techniques create new indelible end users ... and Phantom Ghost Post Hostings .... are Messages Out of this Worldly Almighty ...... and to Prove Quite Impossible to Deny as a Valid Total Information Awareness Tool/Practically Immaculate Platform.

    Here is the Premise ....... Rather than hoodwinking end-users with alteration of ongoing second and third party shenanigans, provide evidence of emergence of new directions being ACTively Explored with and Ruthlessly Exploited by SMARTR Beta Greater IntelAIgent Games Players. Such then does not have one chasing the tail of crashed tales and crushed trails but much more forging ahead way out in the open in Virgin Fields of Augmented Virtual Reality Engagement.

    Jump in at the Off and Initial Public Offering of that Programming Doozie and there be Monumental Riches Aplenty for Distribution in Recognition of Value Adding Bounty.

  10. ExpatZ

    Yeah, what is this, the 178,243rd major flaw in WhatsApp that allows everyone and their mom to pwn your system/phone?

    Get a clue already, WhatsApp is insecure trash now and will always be insecure trash no matter how many times the "fix" it.

  11. Anonymous Coward
    Anonymous Coward

    WhatsApp or Signal protocol?

    Is the weakness in WhatsApp or the Signal Protocol itself?

    I haven’t read the linked article, but the Reg article suggests that the flaw can manipulate encrypted data, which sounds… worrying.

    1. Waseem Alkurdi

      Re: WhatsApp or Signal protocol?

      Done the reading for you - the idea is that they get the public/private key pair from a WhatsApp Web session (when you link the phone and the Web browser, in particular), then they use the F12 panel to alter the requests being sent through the web client, decrypting the messages using the key pair in the process.

      1. JimboSmith Silver badge

        Re: WhatsApp or Signal protocol?

        I don't know of anyone who uses it via a web browser. That's a new one for me, everyone just uses the app.

        1. cb7

          Re: WhatsApp or Signal protocol?

          I do.

          I'm trying out WhatsApp Business, so use WhatsApp Web with it via the browser on my PC. I use the WhatsApp Windows App for personal WhatsApp.

          I find WhatsApp Web launch speed really suffers when the number of chats is very large. Some optimisation is very much needed.

    2. ExpatZ

      Re: WhatsApp or Signal protocol?

      It's WhatsApp.

    3. Adam 1

      Re: WhatsApp or Signal protocol?

      Why down votes for AC on a reasonable question? Signal users are indeed very interested given that WhatsApp uses the same end to end encryption protocol.

      <PedantHat>

      There is no need to worry that an attacker can manipulate encrypted data. This is always a possibility and is logically unpreventable (at least outside of quantum cryptography). The concerning thing is if they can do so with more than a decimal point of an astronomically small number percentage chance of detection by the receiver.

      </PedantHat>

      1. GIRZiM

        Re: WhatsApp or Signal protocol?

        > Why down votes for AC on a reasonable question?

        I can never find the right cartoons anywhere online when I want them *sigh*.

        IIRC, there's a B. Kliban/G. Larson one entitled 'Dummies and Feebs' and another one (by one or the other, but I suspect Larson) entitled something like 'Retards' (or the word forms a prominent part of it at least).

        Anyway... there's your answer, fishbulb.

  12. cb7

    It was secure once upon a time

    But as soon as it came to the attention of uncle Sam, it was bought out by FB.

    Now you can bet backdoor access exists. It's even more blatant than that. It's no secret that WhatsApp now backs up chats to Google Drive and we all know how private that is.

    Hell there are even free third party apps that will decrypt iPhone backups to allow you to migrate your chat history from iOS to Android.

    Migration of chats between platforms is a function WhatsApp should support themselves but they don't currently.

    1. David Nash Silver badge

      Backup to Google Drive

      WhatsApp sometimes decides to ask me if I want to backup to GD but I have never said yes.

      I It seems to be optional.

  13. steviebuk Silver badge

    I had a thought the other day...

    ....and because I don't know how WhatsApp end to end encryption works I don't know if I'm talking bollocks or not. But I thought this.

    You're in WhatsApp with its end to end encryption. You're then using GBoard from Google within WhatsApp. We know Google loves to collect data so are they actively collecting data from GBoard while its in the end to end encrypted WhatsApp? If so, are they then essentially breaking the end to end encryption by storing what you've typed? So could someone, if they knew, ask for the data that terrorist was typing while in his/her WhatsApp and using the GBoard?

    Again, I don't know enough about this so I could be totally wrong (and I suspect I am) but just got me thinking the other day.

    1. Waseem Alkurdi

      Re: I had a thought the other day...

      Let me answer that with an affirmative, though this isn't about breaking the end-to-end encryption layer.

      What happens is that Gboard (or that Chinese malware keyboard app on the Play Store, hey, it's got colors!) intercepts keystrokes before they even get sent to the application, in this case WhatsApp. The keystrokes are only encrypted after you hit Send.

      So yep, it's even possible for any enthusiast to use a keylogger disguised as a keyboard app.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like