Tal Be'ery Profile picture
Jan 17 8 tweets 3 min read Read on X
1/ A technical writeup on @Meta’s @WhatsApp privacy issue:
WA leaks victim devices’ end-to-end encryption (E2EE) identity information (mobile device + up to 4 linked devices) to any user, by design, even if blocked and not in contacts.
medium.com/@TalBeerySec/h…
2/ for example it can be applied on Hamas leaders (which obviously I did not have previous communication with)
3/ monitoring this device identity information over time allows potential attackers to gather actionable and valuable intelligence about their victim’s devices setup and changes to it (device replaced/ added / removed)
Image
Image
4/ This issue is not intrinsic to end-to-end encryption (E2EE) and stems from WhatsApp design choices to have "client fanout" and different keys for each device.
Sender is responsible for sending a different message to each of the recipient devices and thus must know them + keys Image
5/ I had reported to @Meta @WhatsApp and their response was that it works as designed.
They are right, but their design is wrong. Image
6/ I would expect WhatsApp to at least allow users to not expose such details to users that are not in their contact list (like they do with other features such as profile pic) Image
7/ currently nothing stops advanced cyber attackers, or even simple jealous ex-partner from spying on their victims and getting alerted about new devices they own and new opportunities to attack.
I hope @Meta @WhatsApp would reconsider and fix these issues. Image
8/ many thanks to my friends and family that helped with this research:
@t_tsafi @ace__pace @OphirHarpaz @LevAretz @yanivazaria @OmerShlomovits @GaryBenattar
And thank you @TechCrunch @lorenzofb for coverage techcrunch.com/2024/01/17/psa…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Tal Be'ery

Tal Be'ery Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @TalBeerySec

Mar 14, 2022
1/ A (over-?) simplified summary 🧵 of #Ethereum data signing methods evolution.
data signatures are used for off-chain use cases ("sign in to app") or verified by smart contracts (e.g. ERC20 permit to save gas)
#web3 Image
2/ Eth_sign (legacy): in the beginning, client could sign anything, which of course could allow attackers to serve valid on-chain transactions as data for the victims to sign
3/ Eth_sign: Eth_sign was upgraded, so it would include a prefix and as a result the output cannot be a valid transaction. github.com/ethereum/go-et…
However, it serves a hash for the user, so the user has no clue on what is the original data (pre-image) they sign on
Read 7 tweets
Jan 25, 2021
1/ Solving the root cause of #GoldenSAML attacks, recently used in #Sunburst attacks.
Don't of scale security "UP", burying #SAML's private key deeper in HSM,
scale it "OUT": distribute it w/ modern crypto (#TSS #MPC)+ service architecture, as we do for #cryptocurrency @ZenGo
2/ Advanced attackers (#APT) steal long term secrets ("the stamp") that allow them to issue access tokens and thus access all services in victims' environment, bypassing all security, including multi-factor auth (#MFA,#2FA)
3/ @CISAgov recommends protecting such secrets with hardware (HSM), but this solution is not always feasible, does not scale well and is susceptible to vulnerabilities especially when facing #APT attackers (hence: "aggressively updated")
media.defense.gov/2020/Dec/17/20…
Read 8 tweets
Jan 23, 2021
Abusing #ADFS for #GoldenSAML attack, heavily used by #Sunburst attackers.
To get context, see the fabulous '19 talk @WEareTROOPERS by @doughsec @BakedSec of @Mandiant @FireEye (the irony..)
Read 4 tweets
Nov 5, 2020
1/ IT politics is part of the "physics" of the security problem, much like friction, noise and air resistance in the physical world.
An often overlooked aspect of security solutions is that they empower CISOs to mitigate issues without asking others for help
2/ Per the "Kerberoasting" example mentioned by @jaredhaight, the naive solution would be to just ask service account owners to upgrade password strength.
However, the CISO may have a security solution that monitors Kerberos requests to the DC and blocks massive harvesting
3/ while it might not be the perfect solution, but the CISO can do it right away without asking anyone and buy precious time to fix the root cause of the problem.
Read 5 tweets
Feb 3, 2020
1/ I just published Hitting a CurveBall Like a Pro!
Using #wireshark to detect and hunt #curveball exploits by following the NSA advisory
link.medium.com/JarIb0qQM3
2/ detecting non-standard elliptic curve params
3/ Detecting non-standard base points (but standard a and b parameters)
Read 6 tweets
Nov 26, 2019
1/ Adding details from #NSO Group request for injunction against #Facebook
#NSOgroup
2/ The gist of it: Facebook breached their TOS as it allows blocking only in cases the blocked user actually violated the TOS and requires informing the blocked user
3/ some of the plaintiffs were blocked from both #Facebook and #instagram, while others were only blocked from FB
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(