On 7th August at the Black Hat conference, Roman Zaikin, a security researcher, and Oded Vanunu, head of product vulnerability research, both at Check Point showed their research paper entitled 'Reverse Engineering WhatsApp Encryption for Chat Manipulation and More'.
According to the paper Zaikin and Vanunu along with another researcher Dikla Barda, managed to reverse engineer WhatsApp web source code and successfully decrypt the WhatsApp traffic. For this, they created an extension for Burp Suite, a web application testing tool.
Researchers explained three attack scenarios of the bug which are:
- The ability to send a private message to another group participant, disguised as a public message, resulting in the “private” response from the targeted individual being visible to everyone in the conversation.
- The use of the “quote” function of a group conversation to change the identity of the message sender. A person who may not even be a member of the group in question.
- A method to enable the text of someone else’s reply to be altered to say whatever the attacker wants. The ultimate modern-day example of “putting words in someone’s mouth.”
Check Point reported the findings to the Facebook Security team as a responsible disclosure, but Facebook only fixed the first one from the list, leaving the other two considered not a security bug.
Researchers have now published a video demonstrating the bug showing manipulation of the message content.
Regarding the bug, a Facebook spokesperson says, “The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private, such as storing information about the origin of messages.”