Injection Attacks Against End-to-End Encrypted Applications

TL;DR

This paper investigates injection attacks on end-to-end encrypted messaging apps, demonstrating how adversaries can infer sensitive information by analyzing encrypted backups and highlighting vulnerabilities in current designs.

Contribution

It introduces a novel injection attack model against E2E encrypted applications and reveals specific weaknesses in WhatsApp and Signal backup security.

Findings

Proof-of-concept attacks recover message content from WhatsApp backups.

Attacks infer user metadata from Signal encrypted backups.

Current backup designs have vulnerabilities that compromise privacy.

Abstract

We explore an emerging threat model for end-to-end (E2E) encrypted applications: an adversary sends chosen messages to a target client, thereby "injecting" adversarial content into the application state. Such state is subsequently encrypted and synchronized to an adversarially-visible storage. By observing the lengths of the resulting cloud-stored ciphertexts, the attacker backs out confidential information. We investigate this injection threat model in the context of state-of-the-art encrypted messaging applications that support E2E encrypted backups. We show proof-of-concept attacks that can recover information about E2E encrypted messages or attachments sent via WhatsApp, assuming the ability to compromise the target user's Google or Apple account (which gives access to encrypted backups). We also show weaknesses in Signal's encrypted backup design that would allow injection attacks to infer metadata including a target user's number of contacts and conversations, should the adversary somehow obtain access to the user's encrypted Signal backup. While we do not believe our results should be of immediate concern for users of these messaging applications, our results do suggest that more work is needed to build tools that enjoy strong E2E security guarantees.