Last year, researchers highlighted a WhatsApp vulnerability that can let an attacker alter users’ conversations. Despite disclosure, Facebook failed to fix the flaws. This year, researchers have deployed a WhatsApp Protocol Decryptor tool as well. The tool makes it much easier to exploit the flaw, as well as to decrypt the famous WhatsApp encryption.
WhatsApp Protocol Decryptor Now Public
Researchers at Check Point Research have deployed a WhatsApp Protocol Decryptor tool for the public. This tool makes the decryption of WhatsApp conversations and the subsequent manipulation possible.
In August 2018, the researchers reverse-engineered WhatsApp code and decrypt its protocol. Furthermore, they were able to find a vulnerability that made it possible to meddle with users’ conversations in real-time. As stated in their blog post,
After decrypting the WhatsApp communication we found that WhatsApp is using the “protobuf2 protocol” to do so.
By converting this protobuf2 data to Json we were able to see the actual parameters that are sent and manipulate them in order to check WhatsApp’s security.
They shared a video detailing how an attacker can exploit the bug to manipulate conversations in three different ways.
Now, this year, at the Black Hat USA 2019, they have made a Burpsuite Extension, which they created last year.
We translated all WhatsApp web functions to python and created a Burpsuite extension that you can use to investigate WhatsApp traffic and extend in order to find vulnerabilities.
The WhatsApp Protocol Decryption Burp Tool is available at the following GitHub link.
Facebook Not Releasing A Fix
Although, it’s been a year since the disclosure of the WhatsApp vulnerability and the exploit. Yet, Facebook didn’t work on a suitable fix. Facebook made it clear that the issue might not receive a fix owing to ‘infrastructure limitations’, according to BBC.
Now, with regards to the availability of the WhatsApp Decryptor, Facebook has once again preferred to stay aloof from the matter. According to their statement shared with BBC,
We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp.
The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write.
We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages.
In such a situation, it might be harmful to have a decryptor tool accessible to many. However, the researchers have a justification ready to support their action. One of the Check Point Researchers, Oded Vanunu, told BBC,
[WhatsApp] serves 30% of the global population. It’s our responsibility. There is a big problem with fake news and manipulation. It’s infrastructure that serves more than 1.5 billion users.
We cannot put it aside and say: ‘Okay, this is not happening.’
It isn’t clear if Facebook has any plans to address this problem anytime soon.
Let us know your thoughts in the comments.