During the annual Black Hat security conference that was held in Las Vegas, security researchers from Israeli cyber security firm Check Point Research demonstrated how vulnerabilities in WhatsApp’s platform could be used to manipulate the contents of messages sent in a personal and group chats.
WhatsApp messages are typically encrypted by default so that messages can only be seen by the recipient. However with this flaw, the security researchers with the use of a tool they created, were able to decrypt WhatsApp communication and spoof the messages.
This vulnerability could have significant consequences because WhatsApp has about 1.5 billion users who use the app for personal conversations and business communications, with over one billion groups and 65 billion messages sent every day.
According to the researchers in a blog post, they found not one, but three potential ways that WhatsApp messages can be altered. They are:
The ‘quote function’ in group conversations can be used to changer the sender’s identity, even if the person is not a member of the group.
“In this attack, it is possible to spoof a reply message to impersonate another group member and even a non-existing group member,” the firm said.
Hackers can alter the text of someone else’s reply, essentially putting words in their mouth.
“By doing so, it would be possible to incriminate a person, or close a fraudulent deal, for example,” the firm said.
Hackers can send private messages to another group participant that is disguised as a public message for all. This means that you might feel that you have received a private message in a group, but when your respond it will be visible to all the people in the group.
The researchers have contacted WhatsApp, which is owned by Facebook about the flaws late last year. However, responding to the claims made the cyber security firm, a Facebook spokesperson said that claims regarding vulnerabilities in WhatsApp were false.
So far only one of the flaws (disguising a private message as one that becomes visible to an entire group) has been addressed.
Oded Vanunu, one of the researchers, said his company is working with WhatsApp, but the other problems were difficult to solve because of the messaging app’s encryption.
Demonstration of the vulnerability by Check Point Research
More like this