WhatsApp’s end-to-end encryption is only safe if you have no encryption keys. But investigators at Check Point Research created a system of determining the encryption keys, a produced a tool to operate messages.
The investigators exposed that WhatsApp uses the protobuf2 protocol in its communication. By translating the protobuf2 data to Json, it managed to see the limits being sent, which in turn led them to grow a Burp Suite Extension.
They merged this with the capability to pull out the keys from the key generation phase from WhatsApp Web before the QR code is sent. The keys permitted them to see the messages, and their extension tool allowed them to operate the limits. From the procedure, Check Point revealed three susceptibilities in WhatsApp that were reported to the vendor, only one of which was rectified.
The investigators later returned to WhatsApp and revealed an additional, and more unruly susceptibility: the skill to crash all phones involved in a group chat.
It is not just a crash, but a crash loop that loses the current group chat and stops WhatsApp operating at all without being reinstalled. Since WhatsApp messages are encoded end-to-end, the content is possibly irreparable.
The fault in WhatsApp is simple; all the hard work has already been done in developing the Burp Suite Extension. There were four phases in determining it.
Lastly, both public and private keys and the ‘secret’ parameter are used within the Extension to connect to the Python server, letting the researchers to decrypt and adjust messages as they wish.
Using this procedure, the investigators revealed a fault in the way WhatsApp determines each user in a group chat — their phone number.
The researchers said: “The bug will crash the app and it will continue to crash even after we reopen WhatsApp, resulting in a crash loop. Moreover, the user will not be able to return to the group and all the data that was written and shared in the group is now gone for good. The group cannot be restored after the crash has happened and will have to be deleted in order to stop the crash.”
WhatsApp has over 1.5 billion users in 180 countries, and the number in the U.S. is expected to grow to 86 million by 2023.