Your favourite messenger's end-to-end encryption may not be as secure as you think. At the Black Hat cybersecurity conference 2019 (August 7-8) in Las Vegas, security researchers from CheckPoint reverse-engineered WhatsApp's web source code to successfully intercept and manipulate private messages. WhatsApp isn't the only major platform that is under scrutiny at the conference.
Natalie Silvanovich from Google's Project Zero team investigated the remote interaction-less attack surface of the iPhone and found 10 bugs in SMS, MMS, Visual Voicemail, iMessage and Mail, all of which have been fixed by Apple. Remote vulnerabilities can be exploited to hack and remotely control an iPhone without the user's knowledge.
In an official Project Zero blog post, Silvanovich writes,“Unlike Android, SMS messages are processed in native code by the iPhone, which increases the likelihood of memory corruption vulnerabilities. The majority of vulnerabilities occurred in iMessage due to its broad and difficult to enumerate attack surface."
To make them more secure, Apple is giving away iPhones to ethical hackers and researchers so they could break into them and flag vulnerabilities they come across. At the Black Hat conference, Apple opened its bug bounty program for iOS and MacOS to all researchers and also increased the bug bounty prize from $100,000 to $1 million.
Elaborating on the vulnerabilities in WhatsApp, researchers at Check Point pointed out that they had created a tool to decrypt communications on WhatsApp. When they reversed its algorithm to decrypt the data, they found that the messaging platform was using the protobuf2 protocol for encryption.
In an official blog post, the researchers warn that the vulnerability can be exploited in three ways. First, by spoofing a reply message to put words in someone’s mouth. In this case a hacker can manipulate a chat by sending a reply message to himself so he can modify the content and then send the message back to the group. The second attack can be carried out by changing the identity of a sender in a group chat by using the quote feature even if he is not a member of the group.
WhatsApp is the most widely used mobile messenger with over 400 million users in India.
“These security bugs are of course dangerous, but they are not uncommon in any type of software. Yet, users should be very careful when contributing to group chats. In case of any doubt during correspondence, confirm the author’s identity in a private chat," said Victor Chebyshev, security researcher at Kaspersky. He also recommends that users should keep an eye on WhatsApp updates and download new versions immediately to stay secure as many of the updates can be patches for such vulnerabilities.
Microsoft has also added a reward of $300,000 to its Azure bug bounty program inviting any researcher to hack and expose the vulnerabilities in its enterprise grade cloud computing platform. Researchers at Check Point obliged by detecting a path-traversal vulnerability in Microsoft’s Remote Desktop Protocol (RDP) which made unpatched Azure users open to attacks. In an official post, Microsoft concedes that a remote code execution vulnerability exists in Remote Desktop Services (earlier known as Terminal Services) when an authenticated attacker abuses clipboard redirection. By exploiting this vulnerability, an attacker could execute arbitrary code on the victim’s system to install programs, manipulate data and create new accounts with full user rights.
Black Hat is one of the most prominent cybersecurity conferences after Def Con. Attended by thousands of security professionals and hundreds of tech companies every year, the conference has enabled security researchers to showcase their latest work and highlight the latest security vulnerabilities since more than 20 years.