Talos Vulnerability Report

TALOS-2018-0643

Facebook WhatsApp Desktop Multiple Web Connection Notice Bypass Vulnerability

December 10, 2018
CVE Number

Summary

An exploitable notice bypass vulnerability exists in the multiple web connections functionality of Facebook WhatsApp Desktop version 0.2.9739. This functionality allows a user to choose what to do when multiple desktop sessions are initiated using WhatsApp Desktop. By stealing the session information from its victim and following a specific sequence of steps an attacker can clone a session and receive in real time all messages and attachments from the victims communications. Can start a session on its own computer while preventing the multiple web connections notice on the victim screen.

Tested Versions

Facebook WhatsApp for MacOS version 0.2.9739 Facebook WhatsApp for Windows version 0.2.9928

Product URLs

https://www.whatsapp.com

CVSSv3 Score

6.0 - CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-303: Incorrect Implementation of Authentication Algorithm

Details

WhatsApp Desktop allows a person to use WhatsApp on the desktop. The enrollment process for the desktop requires the user to read a QR code generated by the desktop app using their mobile application. This enrollment is valid while the mobile device has Internet connectivity or until the user manually deletes the session on the mobile application. If a user copies the session data from one desktop to another a notice will be shown asking the user to either reclaim the session back to the original desktop or to logout. If the user takes no action the session will be valid at the secondary desktop.

If attackers get access to the session information (using some malware or locally) they are able to start a shadow session without the user getting the multiple session notice. In order to do so attackers need to follow the following procedure:

  1. Copy the victim's session information
  2. Stop the victim's WhatsApp instance
  3. Start their own instance using the victim's session data
  4. Interrupt communication with the WhatsApp server on their instance
  5. Either wait for the victim to relaunch his or her instance or launch it themselves
  6. Re-enable communication with WhatsApp server on the attacker's instance.

After following this procedure the attacker will receive all previous messages and future messages without the victim ever receiving a notice on the desktop application. The only way the user has to check if a shadow session exists is by checking it manually on the mobile application menus. From there he or she is also able to disable such a connection.

Timeline

2018-07-05 - Initial contact via vendor template; report #104531533800808 assigned
2018-07-31 - After initial refusal to look into the issue. Vendor says vulnerability is on the Electron Framework
2018-08-01 - Reply explaining that the lack of encryption of the Electron Framework cookies are also a problem
2018-08-01 - Vendor replied that would look into the issue
2018-09-04 - Follow up w/vendor, no response
2018-09-24 - Follow up w/vendor, no response
2018-10-03 - Follow up w/vendor advising issue reaches 90 days and plans for public disclosure
2018-11-26 - Follow up w/vendor, advising that we could disclose
2018-12-03 - Requested CVE from Mitre
2018-12-10 - Public disclosure 2018-12-10 - Public disclosure

Credit

Discovered by Vitor Ventura of Cisco Talos.