The effect could be obtained by modifying a participant's phone number and sending out a message. As a result, members would no longer be able to access the group or conversation history.
Getting the keys
The issue, fixed with the release of WhatsApp 2.19.246, was in the XMPP (Extensible Messaging and Presence Protocol) responsible for instant messaging.
Using a tool of their own creation called WhatsApp Manipulation Tool, vulnerability researchers at Check Point were able to modify the parameters the app needs to deliver messages in a coherent way and obtain the denial-of-service result.
It is important to note that this research builds on previous efforts to break WhatsApp's secure message delivery. That endeavor resulted in the ability to intercept and manipulates messages sent privately or to groups.
Check Point's technique involves the participation of a group member and obtaining the encryption keys that are generated during the login process.
Using the Burp Suite web vulnerability scanner, they intercepted the WhatsApp traffic containing the "secret" parameter holding the data necessary to modify the details leading to the continuous crash.
Illegal characters
With the encryption and decryption keys, and the "secret" parameter in hand, the researchers could send the messages in clear text to the manipulation tool.
In a report released today, Check Point explains that a crash is registered whenever a message is delivered to a parameter "participant" that has a "null" value.
This can happen when the parser for the participant's phone number mishandles the input, such as in the case of a non-digit string.
"In a typical scenario, when a user in a WhatsApp group sends a message to the group, the application will examine the parameter participant to identify who sent the message. While using our tool we were able to access this parameter and edit it" - Check Point
Thus, reaching the crash objective became pretty simple: replace the sender's phone number to any non-digit characters.
At this point, any message from the attacking participant would result in WhatsApp crashing in a loop. The effect would replicate each time the messaging app attempts to read the sender's details.
Stopping the crash effect is possible only by reinstalling the app and deleting the group. As a consequence, all the conversation history attached to it is lost.
WhatsApp is used not only casually for friendly chatting. Some users rely on it as the main communication service for work-related matters.
The researchers argue that the outcome of exploiting such a bug is drastic for groups that share valuable information.
Check Point has published a video showing how an attacker could have destroyed group chats:
https://youtu.be/u-sGONBNrwg
Discovered in August, the bug was disclosed responsibly to WhatsApp and fixed in app versions starting 2.19.246.
Comments
Post a Comment