Well I’m not a developer so I’m here to resolve a specific question.
I have been investigating this subject for a while now and I need and opinion from experts or developers which really understand about application development (I know something but not this advance) in terms of application security.
I was wondering if someone can impersonate someone on WhatsApp. That is the main objetive of this post: to specify, clarify and how to avoid this.
There is a article from CheckPoint (https://research.checkpoint.com/2018/fakesapp-a-vulnerability-in-WhatsApp/) which talks about this in detail but Check Point has not updated the article since 2018. It wouldn’t be strange that this type of vulnerability could have evolve into one that is more serious and that implies a more serious security issue to users.
That type of vulnerability which you can buy from Black Hat hackers or directly on the Deep Web.
In relation with Check Point article, I did not buy Burp Suite Pro so I could not prove the vulnerability my self, but obviously the video shows how easy is to carry out the attack specially if you are on the same network as the victim; it’s a vicious and unethical attack.
I did an experiment which consisted on the following:
1.) Install WhatsApp on an iOS Smart Phone non-rooted. 2.) Install WhatsApp on an Android Smart Phone non-rooted. 3.) Compare two type of conversations: individual and group
It is very important to highlight that the origin of the conversations where made on an iOS Smart Phone: all the conversations where made on a first instance or their origin on an iOS Smart Phone. They where also backup on an i-Cloud account and then migrated to the Android Smart Phone with a program which is specifically design to transfer iOS WhatsApp backups to Android and files in general.
The experiment was the following:
1.) I screen shot the personal and group conversations of the iOS device before transfer them to the Android device with the program. I did this because I suspected something was strange about the conversations. They did not have any type of sense in terms of: time, date and content.
2.) The last was checked with people in person. The people did not acknowledge and didn’t know about what was talked on that WhatsApp conversations. I did some light social engineering to obtain the information so the experiment will not fail (the social engineering was made through questions not computer software) and the result was quite interesting but worrying. When I installed Whats App on the Android Smart Phone and uploaded the WhatsApp backup, the personal conversations preserved their integrity but the group conversations did not. To be more specific, the group conversations came from known contacts but they came from only TWO contacts of a group of almost 100 contacts. All the conversations made on a particular group appeared to be made up by this TWO contacts not the 100 individual contacts who appear to have done the group conversation on the iOS device; another important thing is that some parts of the group conversations where missing such as: photos, videos and other common media.
3.) I obviously did not ask the two contacts which supposedly impersonate the 100 contacts and the reason for this is quite simple: they can be the attackers or the attacker used both contacts to access the WhatsApp group and impersonate the 100 contacts with or without their consent. Both of this contacts DO NOT have programming knowledge or hacking skills what so ever but may be they have and I don’t know about it; anyway is not likely that they have this type of skills because I know them personally so I did the light social engineering again and the outcome was the same.
In conclusion I can tell you that it seems to be a way to impersonate people on group conversations now a days. The most important thing in my opinion is to realize the attack vector.
In my opinion it is important to clarify if the attack vector is through the application it self (WhatsApp), the SmartPhone or the i-Cloud, G-Mail account or may be other medium from which I’m not aware.
I would appreciate if you could be specific and may be share some documentation if it exists.