Editor’s Note: This story is updated with a response from WhatsApp.
Popular messaging service WhatsApp is one of another large set of victim companies that have had their web sites hacked for political reasons—using a methodology that has proven to completely circumvent any security measures a web site might have in place.
According to CNET, the domain of the WhatsApp site was hacked to display a pro-Palestinian message during the early morning hours Tuesday. The new page at WhatsApp.com, entitled “You Got Pwned,” showed political messaging from a group known as the KDMS Team, which not only advocated Palestine, but boasted that no security would be enough to stop them.
The WhatsApp home page has since been returned to normal, but during the attack, it was noted that the Domain Name Service records for the WhatsApp site had been changed. This would suggest that the attackers had not actually cracked into WhatsApp, but had instead used DNS spoofing to hijack the web site’s address. Later today, WhatsApp did confirm this was the method of attack used.
“Our website was hijacked for a small period of time, during which attackers redirected our website to another IP address. We can confirm that no user data was lost or compromised. We are committed to user security and are working with our domain hosting vendor Network Solutions on further investigation of this incident,” a company spokesperson said.
DNS spoofing is an increasingly popular way for malicious hackers to effectively obtain access to a web site. The attack is remarkably simple, and was instrumental in this summer’s hacks of the Twitter and New York Times home pages. While it is not known if this was indeed how WhatsApp was attacked this morning, details from the August 29 attack on the New York Times web site would support the theory.
DNS servers are specialized servers on the Internet that act as a sort of phone book for the Web. Since people usually find it hard to remember the actual IP addresses of web site servers (like 220.127.116.11), DNS enables users to type in something more language friendly, such as readwrite.com. When a human-language address is entered, a DNS server will quickly find the actual IP address and direct the request from the user’s browser to the actual machine, based on the IP address.
There is no one owner of DNS servers. There are many such companies, known as domain name registrars. Register.com, Network Solutions and GoDaddy are three such major registrars in the U.S., with many more such vendors globally.
What is tricky about DNS registrars is that they all have equal weight. If a customer who owns a domain name goes to any registrar in the world and requests the domain name for their web site address be pointed at a computer with another IP address (and can provide proof that they indeed have control of that domain name), then the change will be made.
What happened in August to the New York Times web site didn’t even involve masquerading as the victim. Instead, someone at a U.S. reseller of Australia-based registrar Melbourne IT had their business account hacked after responded to a phishing e-mail message. Once the reseller’s computer was under the control of the hackers, it was used to request the nytimes.com be moved to the false web server as if the request came from the newspaper’s IT staff.
For anyone surfing to the New York Times then, the effect for immediate and completely transparent: it looked as if the Times pages had been completely replaced. In actuality, the Times content was completely untouched… visitors were simply being redirected to another server when they typed nytimes.com in their browser.
Based on the comments from WhatsApp, something similar happened to the WhatsApp site. Someone’s account in WhatsApp could have been subverted and used to make the IP address change. Or yet-another registrar’s system could have been directly accessed.
The vulnerability of DNS servers is a pressing problem for the unhindered flow of information and commerce on the Web. All the website security in the world won’t make a bit of difference if a domain name is stolen right out from under a company’s nose. Registrars will need to step up their security game to block direct-access address hacks, and customers will have to watch their own step so that an identity thief doesn’t make a domain change on their behalf.