The start-to-end encryption of your favorite messenger may not be as secure as you think. At the Black Hat Cyber Security Conference 2019 (7-8 August) in Las Vegas, security researchers at the checkpoint reverse-engineered WhatsApp web source code successfully intercepted and manipulated private messages or vulnerabilities. WhatsApp is not the only major platform that is being investigated at the conference.
Natalie Silvanovich from Google’s Project Zero team examined the iPhone’s remote contact-less attack surface and found 10 bugs in SMS, MMS, visual voicemail, iMessage and mail, all of which have been fixed by Apple. Unknown vulnerabilities can be exploited to hack and remotely control an iPhone without user knowledge.
In an official Project Zero blog post, Silvanovich writes, “Unlike Android, SMS messages are processed in native code by the iPhone, which increases the chances of memory-corruption vulnerabilities. Its extensive and comprehensive way to calculate attack surface Most of the vulnerabilities occurred in iMessage due to the difficulty.]
To make them more secure, Apple is giving away iPhones to ethical hackers and researchers so that they can break into them and flag weaknesses they come across. At the Black Hat conference, Apple opened its bug reward program for iOS and macOS to all researchers and also increased the bug reward prize from $ 100,000 to $ 1 million.
Checkpoint researchers, while discussing the weaknesses of WhatsApp, explained that they had created a tool to decrypt communications on WhatsApp. When he reversed his algorithm to decrypt data, he found that the messaging platform was using the ProtoBuf2 protocol for encryption.
In an official blog post, researchers warned that the vulnerability could be exploited in three ways. First, by spoofing a reply message to put words in someone’s mouth. In this case, a hacker can manipulate a chat by sending a reply message to himself, and then he can modify the content and then send it back to the message group. The second attack can be made by changing the sender’s identity in the group chat using the quote feature, even if he is not a member of the group.
WhatsApp is the most widely used mobile messenger in India, with over 400 million users.
“These security bugs are undoubtedly dangerous, but they are not uncommon in any software. Nevertheless, users should be cautious when contributing to group chat. In case of any doubt during correspondence, a private Confirms the author’s identity in the conversation, “said Victor Chebyshev, a security researcher at Kaspersky. They also recommended that users should keep an eye on WhatsApp updates and download new versions immediately to be safe as there may be multiple update patches for such vulnerabilities.
Microsoft has also added a $ 300,000 reward to its Azure bug reward program that invites any researcher to hack its enterprise-grade cloud computing platform and uncover the vulnerabilities. Researchers at the checkpoint were forced to explore a path-traversal vulnerability in Microsoft’s Remote Desktop Protocol (RDP), which left unattached Azure users open to attacks. In an official post, Microsoft considers that a remote code execution vulnerability exists in the Remote Desktop Service (formerly known as Terminal Services) when an authenticated attacker misuses clipboard redirection. By exploiting this vulnerability, an attacker could execute arbitrary code on the victim’s system to set up programs, manipulate data, and create new accounts with full user rights.
Black Hat Defcon. One of the most prominent cybersecurity conferences, attended by thousands of security professionals and tech companies every year, the conference has enabled security researchers to showcase their latest work and expose since more than 20 years Latest security vulnerabilities.
Get the best of The Thus delivered to your inbox – subscribe to The Thus Newsletters. For the latest Breaking News and Top Stories follow The Thus on Facebook, Twitter, Instagram, and Pinterest and stay in the know with what’s happening in the world around you – in real-time.