Whatsapp Web : An easy way to Hijack Whatsapp Accounts

Whatsapp Web : An easy way to Hijack Whatsapp Accounts

With the introduction of end to end encryption for all its users, Whatsapp seems to have improved its market value as a messenger application with increasing security to its app.

Mobile numbers act as the basic structure for Whatsapp accounts. Your mobile number acts as your username and the ONE TIME Password works as the Security Key to authenticate it. It often makes it easier for a non-technical to get hold of different passwords for various accounts but this does not ensure a perfect security measure from a privacy standpoint.

Brief overview of the Whatsapp Login process :

The basic procedure to activate a Whatsapp account is to enter your mobile number. A authentication token is send through a tet message or call on your number. The code is pushed into the app, and the accounts gets activted and the authentication token gets saved in yout device.

Users on purchasing a new Device, have to repeat this process on their devices, and the previious Whatsapp account on an older device gets deactivated and becomes authorized on the new device.

Such an easy procedure is vulnerable to attacks such as Cell network hijacking, through which an intruder can easily gain access to your mobile phone. The user should trust its service provider, as they have the master control of their devices with them.

From the View of an attacker

There are two obvious budgetd ways for an attacker to bypass this :

  1. Either the attacker gains access to the user’s phone as mentioned above through Cell Network Hijacking or through Social Engineering thereafter he’ll be able to authenticate the user’s Whatsapp account. Or
  2. Breaking into the OS and getting access to the data partition etc, while this is quite expensive.

In 2015 a New Player Was Introduced

Whatsapp launched Whatsapp Web, which made convienant to use whatsapp through your web browser parallel to your mobile device. The brief overview of its functioning is as follows:

By scanning the QR code displayed on the Whatsapp Web login page through its mobile device,  the user could easily authenticate its whatsapp account and could use it on its web browser as long as there phone are turned ON.

This method gave a Super Key for the hackers to crack into the Whatsapp account of the users , and have an easy access to their accounts, without their knowledge.

An Actual Attack

The attacker only need to  trick the user to scan a malicious code to authorize the attacker’s browser. The allows full access to the user’s Whatsapp account.

The Following illustrates how it works :

To complicate the entire process, Whatsapp displays a non static code on the Whatsapp Web login page which changes after every few second to ensure the security of their users accounts.

A security researcher Martin Wanger, circumvented this obstacle by continuously capturing the changing QR code through a scripted browser and sending it to the victim through a Web Socket Connection.

FLAWS

  1. An extra browser would be listed in the WHatsapp Web Browser authentication lis.t
  2. The user will receive a notification when a Whatsapp Web Connection is establieshed if he is already using Whatsapp Web at that particular time.
  3. It is still a socially engineered attack; the victime has to be conned into giving access.

Still, many people would fall in such a trap.

Demo

The tool Martin Wanger developed uses selenium to get the QR codes and express.js + socket.io to display them on a separate page.  If a victim scans this code using their phone, document.cookie and localStorage of the selenium browser are dumped into a file on the attacker’s machine. The acquired data can then be used to log into the victim’s account using any browser. (Code is available on GitHub )

Possible Fixes

Whatsapp has now started a two-step authentication feature as well, for its users, where the user could use their own passwords to keep their accounts safe. Still it does not seems to be a possible fix to this. Though Whatsapp might have considered this issue when introducing their Whatsapp Web Feature.

Leave a Reply

Your email address will not be published. Required fields are marked *