On 7th August at Black Hat conference, Roman Zaikin, a security researcher, and Oded Vanunu, head of products vulnerability research, both at Check Point shown their research paper entitled 'Reverse Engineering WhatsApp Encryption for Chat Manipulation and More'.
According to the paper Zaikin and Vanunu along with another researcher Dikla Barda, managed to reverse engineer WhatsApp web source code and successfully decrypt the WhatsApp traffic. And for this they created a extension for Burp Suite, a web application testing tool.
Researchers explained three attack scenario of the bug which are:
- The ability to send a private message to another group participant, disguised as a public message, resulting in the “private” response from the targeted individual being visible to everyone in the conversation.
- The use of the “quote” function of a group conversation to change the identity of the message sender. A person who may not even be a member of the group in question.
- A method to enable the text of someone else’s reply to be altered to say whatever the attacker wants. The ultimate modern-day example of “putting words in someone’s mouth.”
Check Point reported the findings to Facebook Security team as a responsible disclosure, but Facebook only fixed first one from the list, leaving other two considering not a security bug.
Researchers had now published a video demonstrating the bug showing manipulation of the message content.
Regarding the bug, Facebook spokesperson says, “the scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private, such as storing information about the origin of messages.”