WhatsApp: Messages manipulated by the web client

A man-in-the-middle who hooks in between the smartphone and the browser can attack the messenger web client and manipulate messages.

Despite WhatsApp’s end-to-end encryption, an attacker may, in certain circumstances, manipulate messages as they log into the messenger’s secure communications channel. The web client of the crypto-messenger is particularly vulnerable here.

Security researchers are now showing how such an attack could happen. They were able to misquote quotes about a vulnerability in the WhatsApp Web client and send messages to chat members on behalf of the cell phone owner. WhatsApp sees the gap as not repairable.

In order to implement the attack discovered by the researchers of the security company Check Point, the attacker has to make it possible for the victim to connect his mobile phone with a browser. He also has to connect as a man-in-the-middle traffic from the browser to the smartphone – most likely if he controls the network in which the victim is located.

When linking mobile phones and web browsers with a QR code, the researchers succeed in reading a secret that is exchanged between the two endpoints. In connection with an extension of the protocol used by WhatsApp protobuf2, they can then read data.

Check point

The researchers managed to read secrets from the traffic between the browser and smartphone. (Picture: check point)

As a result, researchers can manipulate messages under certain conditions. For example, they may incorrectly quote a message sent by the mobile phone. In a group chat, the quoted person does not have to be a member of the group. In addition, they can send a message that looks like a group message to all the members of a group for the recipient – but in reality, the message went only to the recipient. This can drive all sorts of jokes. Even fraud attempts are possible.

To put it plainly: WhatsApp secures the communication between two smartphones with end-to-end encryption that is secure at the height of technology and the current state of knowledge.

When the web client is activated and paired with a smartphone, the end-to-end encrypted messages still end up on the smartphone but are then passed on to the browser. This channel is from the smartphone to the browser is also encrypted.

Basically, both browser and smartphone have the problem that an attacker who controls the device can read the decrypted data. In the current case, however, the researchers show that a browser also offers more options for circumventing encryption due to its higher attack surface.

According to Check Point, the WhatsApp makers have been informed in advance about the findings of the researchers. The company sees in the problem, however, no security vulnerability. Compared to the New York Times, a spokesman for WhatsApp said that they could not prevent the manipulation, because otherwise, you would have to check every single quote. According to WhatsApp, that would overburden the service’s infrastructure.

In addition, such an audit again created a huge privacy issue for users. “We took a close look at the problem, which is the equivalent of manipulating an email,” a WhatsApp spokesman told the Times . The problem has nothing to do with end-to-end encryption.

WhatsApp users who want to be on the safe side should probably refrain from using the web client. Connections from smartphone to smartphone should not be affected. Regardless of the vulnerability that has been released, users who value secure encryption should use WhatsApp’s Web client only on networks and on systems they trust. Of course, anyone who does not use the web client reduces its attack surface accordingly.


Also published on Medium.