POST OF THE DAY

March 27, 2017,Posted by: Admin

                 

Security Nightmare: Easy to Hide One's identity using WhatsApp



Whatsapp has two ways of verifying your phone number. One is via sending an SMS (the send or resend SMS option) while the other is via making a call (the call me option). By entering the number of a public payphone and using the call me option, one can receive the verification code via voice on the public payphone and enter it as the verification code.



Whatsapp has two ways of verifying your phone number. One is via sending an SMS (the send or resend SMS option) while the other is via making a call (the call me option). By entering the number of a public payphone and using the call me option, one can receive the verification code via voice on the public payphone and enter it as the verification code linking one's whatsapp account to a public payphone and thus anonymize oneself.



This has huge implications. While being anonymous can be used for good purposes, in the Indian context the misuse potential is huge and in addition whatsapp could also be falling foul of legal stipulations. In the worst case scenario, this could be a national security risk.

Government stipulations may require that whatsapp account be linked to a number which has a known owner. It is called KYC ( know your customer). In the absence of it, a lot of misuse is possible. For instance, whatsapp is so common and popular now, that a lot of entities such as radio stations use whatsapp to receive messages from listeners. The underlying assumption is that one can get the identity of the owner of the whatsapp account from his number. Usually, the number is a mobile number registered with a mobile service provider. In the absence of the above, whatsapp can be misused in many ways. It can be used to send for instance a terror message or a hoax bomb message. Terrorists --- by combining it with Tor --- could use such a whatsapp number for communicating among themselves or with others.

There are thousands and even probably lakhs of such public payphones in India.

Preliminaries : Figure out the number of the public payphone



First, we need to figure out the number of the pay phone. Many payphones dont have their number written on them. So, we will have to make a call using the phone to our known mobile number.

Exploiting the vulnerability to link the whatsapp account with the public payphone

Next we try to exploit the vulnerability and link the public payphone to the whatsapp acount. In the next screenshots the steps are shown.

Step 1. Install whatsapp and start it. The Verify your phone number screen will appear and ask to enter your number. ( screenshot below). phone number Step 2. Enter the public payphone number which was determined above. (screenshot below). phone number Step 3. Confirm it. ( screenshot below) phone number Step 4. Two options are shown. ( screenshot below). phone number Step 5. Choose the call me option. This is the key. Basically, the exploit is possible because the only capability the phone needs to accept the verification code is the ability to receive a voice call. The screen shows the subsequent screen after the call me option is chosen. ( screenshot below). phone number Step 6. Listen to the verification code on the payphone, and enter it. phone number phone number Step 7: The verification code has been accepted now and the app is looking for backups. ( screenshot below)

phone number Step 8: The app is asking to enter profile name. ( screenshot below) phone number

The whatsapp is now linked to the public payphone number and one can annomyize oneself.

Implications of the vulnerability

What this vulnerability shows is that it is possible to link one's whatsapp number to a public payphone in India thus annonymizing oneself. Given that everyone's expectation is that a whatsapp user is using the phone which has his own ownership which can be found out through law enforcement if need be gives rise to a lot of misuse possibilities in this case. For instance, women can be harrassed and a complaint will lead to nowhere ( specifically it will lead to the payphone which is in the middle of nowhere and cannot be pinned down to a particular user). Terrorists can communicate among themselves using this method. Threat messages can be sent anonymously. Messages announcing hoax bomb calls can be sent. Given that whatsapp is being increasingly used to make voice calls, anonymous calls can be made.

All in all this is a security risk which needs to be fixed ASAP. By the way, this issue is not common to just public payphones but is also applicable to private landline phones. However, since ownership of a landline can be pinned down to a specific person, this is no more a security issue there.

Fix

The fix is simple: just remove the call me option, that is the way of sending the verification code via voice.

This vulnerability exists in few other apps, not just whatsapp.

Facebook ( owner of Whatsapp ) was contacted via its bug bounty program regarding this vulnerability on August 25 2016. While they thought this is not a vulnerability, they also admitted that they have no way of recognizing a payphone just from its number. Thus, I had a feeling that they were a bit confused about this. The relevant responses from Facebook are given below.

Facebook 08/31/16 at 1:41 AM
To
samir_kelekar@yahoo.com
Message body
Hi Samir,

Thank you for sharing this information with us. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.

Thanks,

Dave
Security

Facebook 09/02/16 at 4:29 AM
To
samir_kelekar@yahoo.com
Message body
Hi Samir,

Of course, we discussed it with several members of our team and at this time there is no reasonable way for us to detect when a user has entered a payphone. It is not something we consider to be a privacy or security risk as the functionality in place is intended to make a phone call to the provided number, then the number is confirmed by the user entering the required information. While we appreciate you taking the time to test and report this it is not considered qualified for our program.

When I asked them if I could go public with this, this was the response.

Facebook 09/09/16 at 5:21 AM
To
samir_kelekar@yahoo.com
Message body
Hi Samir,

We do not consider this a privacy or security risk, and publishing your findings does not violate the terms of our program. Thanks again for your report!

Thanks,
Rusty

It is high time law enforcement agencies ensure that this vulnerability is fixed.

SUBSCRIBE TO THIS BLOG



Copyrights © 2017 Teknotrends Software Pvt Ltd All rights reserved | Template by W3layouts