┬┐Can someone impersonate you on WhatsApp?

Well I’m not a developer so I’m here to resolve a specific question.

I have been investigating this subject for a while now and I need and opinion from experts or developers which really understand about application development (I know something but not this advance) in terms of application security.

I was wondering if someone can impersonate someone on WhatsApp. That is the main objetive of this post: to specify, clarify and how to avoid this.

There is a article from CheckPoint (https://research.checkpoint.com/2018/fakesapp-a-vulnerability-in-WhatsApp/) which talks about this in detail but Check Point has not updated the article since 2018. It wouldn’t be strange that this type of vulnerability could have evolve into one that is more serious and that implies a more serious security issue to users.

That type of vulnerability which you can buy from Black Hat hackers or directly on the Deep Web.

In relation with Check Point article, I did not buy Burp Suite Pro so I could not prove the vulnerability my self, but obviously the video shows how easy is to carry out the attack specially if you are on the same network as the victim; it’s a vicious and unethical attack.

I did an experiment which consisted on the following:

1.) Install WhatsApp on an iOS Smart Phone non-rooted. 2.) Install WhatsApp on an Android Smart Phone non-rooted. 3.) Compare two type of conversations: individual and group

It is very important to highlight that the origin of the conversations where made on an iOS Smart Phone: all the conversations where made on a first instance or their origin on an iOS Smart Phone. They where also backup on an i-Cloud account and then migrated to the Android Smart Phone with a program which is specifically design to transfer iOS WhatsApp backups to Android and files in general.

The experiment was the following:

1.) I screen shot the personal and group conversations of the iOS device before transfer them to the Android device with the program. I did this because I suspected something was strange about the conversations. They did not have any type of sense in terms of: time, date and content.

2.) The last was checked with people in person. The people did not acknowledge and didn’t know about what was talked on that WhatsApp conversations. I did some light social engineering to obtain the information so the experiment will not fail (the social engineering was made through questions not computer software) and the result was quite interesting but worrying. When I installed Whats App on the Android Smart Phone and uploaded the WhatsApp backup, the personal conversations preserved their integrity but the group conversations did not. To be more specific, the group conversations came from known contacts but they came from only TWO contacts of a group of almost 100 contacts. All the conversations made on a particular group appeared to be made up by this TWO contacts not the 100 individual contacts who appear to have done the group conversation on the iOS device; another important thing is that some parts of the group conversations where missing such as: photos, videos and other common media.

3.) I obviously did not ask the two contacts which supposedly impersonate the 100 contacts and the reason for this is quite simple: they can be the attackers or the attacker used both contacts to access the WhatsApp group and impersonate the 100 contacts with or without their consent. Both of this contacts DO NOT have programming knowledge or hacking skills what so ever but may be they have and I don’t know about it; anyway is not likely that they have this type of skills because I know them personally so I did the light social engineering again and the outcome was the same.

In conclusion I can tell you that it seems to be a way to impersonate people on group conversations now a days. The most important thing in my opinion is to realize the attack vector.

In my opinion it is important to clarify if the attack vector is through the application it self (WhatsApp), the SmartPhone or the i-Cloud, G-Mail account or may be other medium from which I’m not aware.

I would appreciate if you could be specific and may be share some documentation if it exists.

What prevents me from using a some server’s public key and impersonate another server [duplicate]

I read alot regarding RSA encryption/DH key exchange/digital signatures and the whole TLS protocol.

There’s something i am missing regarding the public key signatue validation.

Let say some website has a certificate signed with its private key, as a client I have access to the public key.

But if the server only sends the public key to the client, what is preventing me as an attacker from taking this public key, and returning it to who ever wants to communicate with me.

I mean, where is the private-key authentiction comes to place?

I created this small C# code to demostrate:

private const int _port = 4455; static void Main(string[] args) {     Task.Run(async () =>     {         await TcpServerInit();     });      Task.Run(async () =>     {         await TcpClientInit();     });      Console.ReadLine(); }  private static async Task TcpServerInit() {     var server = new TcpListener(IPAddress.Any, _port);     server.Start();      while (true)     {         TcpClient client = await server.AcceptTcpClientAsync();         using (var netStream = client.GetStream())         {             ServicePointManager.ServerCertificateValidationCallback = ValidateCertificate;             ServicePointManager.Expect100Continue = true;              using (var ssl = new SslStream(netStream, false))             {                 using (var cert = new X509Certificate2(@"MyPublicCert.cer"))                 {                     await ssl.AuthenticateAsServerAsync(cert, false, SslProtocols.Tls12, true);                 }             }         }     } }  private static async Task TcpClientInit() {     using (TcpClient client = new TcpClient("localhost", _port))     {         using (SslStream sslStream = new SslStream(client.GetStream(), false, new RemoteCertificateValidationCallback(ValidateCertificate), null))         {             var servername = "CN=localhost";             await sslStream.AuthenticateAsClientAsync(servername);             byte[] messsage = Encoding.UTF8.GetBytes("Hello");             sslStream.Write(messsage);             sslStream.Flush();          }     } }    private static bool ValidateCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) {     //cert validation     return true; } 

How does an IMSI catcher “impersonate” a base station/cell tower?

On reading about IMSI catchers, I keep seeing that they “impersonate” a real cell tower or “base station” so that the phone drops its signal-carried data on that machine while on its way to the intended destination.

What I don’t understand is, how exactly does the IMSI catcher do that, or by what mechanism? What is it doing to trick the phone/SIM/connection into saying “This is a valid stop to drop off data”?

How to impersonate in the whole class

I have a WinForm app where i can see a list of reports in a set of buttons. When a user click the button it will pass the URL in a new class. The new class is just a form where WebBrowser is embedded in it. The report will be shown in this WebBrowser tool.

Currently i got a requirement where i need to prevent user to use browser(like ie, chrome, firefox) to directly browse to the report that they want in report server.

So i remove all the users from that folder except for one. In order to view the report users need to use the WinForm app and click to view the report they want. In order to do this, I am planning to use impersonation to impersonate as the only user allowed to see the report.

So far i am able to change the user credentials. But when the WebBrowser form pop up it says that i am using my own login thus i don’t have required permission to see the report.

I suspect that when i open the new form, the credential does not pass there. Is there a way to fix this?

using (new ImpersonateUser("TestUsername", Environment.UserDomainName, "TestPassword")) {     string testUser = Environment.UserName;     ReportForm reportForm = new ReportForm();     reportForm.Text = record.DisplayField.Replace("&&", "&");     reportForm.GetReportUrl(URL);     reportForm.ShowDialog(); } 

FormReport Class:

public partial class ReportForm : FormBase {     public ReportForm()     {         InitializeComponent();     }      private void ReportForm_Load(object sender, EventArgs e)     {         webBrowser1.Refresh();     }      public void GetReportUrl(string repUrl)     {         webBrowser1.Url = new Uri(repUrl);     } }