By implementing changes such a the E2E encryption for all users, Whatsapp has changed its image from a messenger app with appalling security to an app that is respected by many. Sure it isn’t signal or matrix but at least it is better than bubcon (Link in german).
Whatsapp accounts are based on phone numbers. This means your phone number is your username and it’s also used for authentication. While this is not perfect from a privacy standpoint it saves the, often non-technical, user from having to remember yet another password that they could potentially reuse or, even worse, disclose through a phishing attack.
Brief overview of the log-in process:
When starting the app for the very first time the user has to enter their phone number. A verification token is then send to this number by SMS or call. After that code has been entered into the app, the authentication token is saved on the device and the user is logged in.
When the user gets a new device the process needs to be repeated for this device and the old one will be de-authorized. Whatsapp does not store old messages on their servers, so previous messages won’t be transferred to the new device.
Of course the process is a bit more complex but this simplification is suitable for the purpose of this article.
This convenience comes with the cost of being vulnerable to new attacks like cell network hacking that can be used get access to a phone number. It is also required that the user trusts their mobile provider because they have full access over the number and could easily take over an account.
The view of an attacker
From a „low budged“ attacker’s perspective it looks quite difficult to bypass. There are only two „obvious“ inroads:
- Accessing the victims phone number in some way. As mentioned above, this could be achieved by some kind of network against the cell attack or the mobile service provider. Even if access to the phone number could be obtained, though, it would not give access to any old messages or the chat history and the victim would become instantly aware something was up, as their phone would get logged out.
- Break into the OS and get access to the data partition etc. While this would work, it is quite expensive.
A new player joins in
In 2015 Whatsapp launched Whatsapp Web, a website that conveniently allows sending and receiving Whatsapp messages from a computer. To use it, a browser has to be peered with the phone, and the phone remains in command. Here a brief overview of the flow:
By scanning a QR code shown on the Whatsapp Web page using the Whatsapp mobile app the browser that requested the code is authorized. The user can now use Whatsapp in this browser, as long as their phone is turned on and accessible by the computer.
This procedure offers a convenient toe-hold for attackers. Trick the user into scanning the QR code and it will give full access to the account including future and past communication. Bingo!
An actual attack
It’s pretty simple: the attacker only needs to trick the user into scanning an “malicious” code to authorize the attacker’s browser. This will give them full access to the Whatsapp account of the victim. A simple online raffle, in which the victim is asked to scan a code to enter, could pose as a lure.
The following illustrates how it works:
To complicate it, Whatsapp does not display a static QR code on their registration page but generates a different one every few seconds. This prevents attackers from simply copying the code and publishing on a new page.
In my demo I circumvented this obstacle by continuously grabbing the code using a scripted browser and sending it to the “victim” using a websocket connection.
- The user will see the additional browser when they list their authenticated Whatsapp Web devices.
- The victim will receive a warning if an extra browser logs into the web client while they are using Whatsapp Web themselves.
- It still is a socially engineered attack: the victim has to be conned into giving access.
Still, it is an interesting option to hoodwink careless users.
The tool I’ve developed uses selenium to get the QR codes and express.js + socket.io to display them on a separate page. If a victim scans this code using their phone, document.cookie and localStorage of the selenium browser are dumped into a file on the attacker’s machine. The acquired data can then be used to log into the victim’s account using any browser. (Code is available on Github)
There are no quick fixes to avoid such an attack, except a complete revamp of the authentication procedure. I think while Whatsapp might have been aware the possibility when they developed their web client, they might have considered it no big issue.