Metas WhatsApp is one of the most popular messenger services worldwide, with over five billion downloads and two billion active users. But with great power comes great responsibility — because WhatsApp obviously has a data protection problem.
Source: Photo by Rachit Tank on Unsplash
According to a report by Tal Be’ery, it is enough for the attackers to know their victim’s phone number in order to be able to query various data. The attackers can access information about the devices of users who use the same service. To date, there are no options for users to control or restrict this data sharing. It is completely irrelevant whether the attacker’s number is saved or even blocked.
Methods and effects
Using the browser’s developer tools, the attackers can access a local database while the WhatsApp web client is open. This database then contains all the required end-to-end encrypted (E2EE) identity keys for all devices. For this to be possible, the attacker simply needs to add the victim’s phone number.
The data can then be found in a table that contains all of the victim’s contacts including the identity key. However, this is only one of the ways to access the data.
With the help of this strategy, the attackers are able to continuously monitor the device information and thus determine whether the user has accompanying devices, for example a computer connected via WhatsApp Web. These companion devices are also easier to attack than the main device.
The perfidious thing is that the attackers can simulate attacks on the accompanying devices while the actual attack is then concentrated on the main device. Because the messages are end-to-end encrypted, the server on which the messages are processed cannot detect that the contents of the messages are different between devices. In addition, pretty much any private person can gain access to the methods and data.
solutions
So far, Meta appears to have had little to no response to these issues. There are currently no available methods to protect against such attacks. Tal Be’ery reports that he shared his observations with Meta, but Meta simply dismissed him, explaining that it was not an error in implementation, but rather an issue with how the protocol works fundamentally by design.