Forget Encryption, WhatsApp Is Vulnerable To Phishing Attacks

Recently there has been a lot of noise about how WhatsApp has done end-to-end encryption and even WhatsApp cannot decrypt it for the Federal Agencies! This has been done in the interest of privacy and security of 1 billion people for whom WhatsApp is the sole choice for to send text messages and phone calls to other users.

However its not the Federal Agencies that WhatsApp should be protecting its users from. It’s the Phishing attacks, scams, identity thefts on naïve users that needs WhatsApp’s urgent attention.

Sometime back WhatsApp introduced WhatsApp Web for its users where they have to scan a QR code from their WhatsApp on mobile and then they can start using WhatsApp from their desktop or laptop in the same way they do it on their mobile phones.

WhatsApp Web is the gateway for unscrupulous individuals and companies to phish personal data, financial details, confidential information, pictures, videos, and chats from WhatsApp accounts of people.

They do it easily, just by:

1.Scrapping the QR code from the WhatsApp Web

2.Posting that scrapped QR Code onto their phishing site / page

3.Asking visitors on their phishing page to scan it from WhatsApp on their phone, in return offering some prize, cash or anything that can lure a user

4.Once the user is done with scanning, these phishing individuals or companies get complete access to the user’s WhatsApp

The technically savvy readers can download and examine the source code for phishing on whatsApp here: https://github.com/Mawalu/whatsapp-phishing

Image1

Most of the 1 billion WhatsApp users are not technically savvy to realize that a parallel connection to their WhatsApp account gets created the moment they scan a QR Code on a non-whatsApp site from their WhatsApp application. Try explaining that to your mother !

How WhatsApp Web Works:

1.User log onto web.whatsapp.com from their desktop

2.Scan the QR code on the page from WhatsApp on mobile

3.Get connected to WhatsApp via desktop / laptop

What Phishing Individuals and Companies are doing:

1.User is taken on a fraudulent website

2.The website requires user to scan a QR code from WhatsApp

3.Once scanned, the fraudulent website gets access to user’s WhatsApp account

Image2

While the example above is only illustrative but its happening around us already. I came across a company named 1Group / ii5.com, in India who is using this vulnerability as a feature for their product. They get naïve customers to scan a QR Code and get access to whatsApp groups of the customers. I recorded a video of how it works and it is actually scary.

What all can get stolen:

1.Anything & everything that you have shared via WhatsApp, like bank details, passwords, private pics, personal messages, etc.

2.Your entire contacts list

3.Your complete chat data

4.Your personal information

All this data can now be accessed by these phishing individuals and companies. Imagine what all they can do with this data?

Moreover, they can send messages to any contact on your phone posing as you. For example:

1.Inappropriate messages to your professional contacts

2.Indecent messages to your family

How dangerous it can become if any individual or company can get access to a large number of WhatsApp users? Personal and confidential information of a billion users is at stake and it can really cause a phishing bomb to explode with unimagined repercussions. Think about anti-national elements get into this phishing scam and what they can do with this – its not encryption but phishing protection that customers really need.

#WakeUpWhatsapp

A bunch of tech reformists have also raised their voices to secure the personal and confidential data of WhatsApp users and are running a campaign on Twitter and have garnered support to a large extent. You can also raise your voice after reading their open letter to Whatsapp.

[About the Author: Sachin Arora is a Tech evangelist for Oracle and contributes to the company’s Big Data Strategy and Innovation for both public and private enterprises. As an SMAC (Social, Media, Analytics, Cloud) expert, Sachin closely examines the potential and risks of upcoming technologies.]

One Reply