Apple iPhone XR 64GB at Lowest Price Ever
6.1" display | 50% Faster Graphics performance | TrueDepth camera
Click here to know more
WhatsApp vulnerabilities allow hackers to put "words into your mouth."
The flaws were discovered by an Israeli cybersecurity firm, Checkpoint Research.
One of the three flaws were fixed by Facebook, but it is still vulnerable.
After discovering iOS flaws that let hackers break into iPhones by just sending a text, a WhatsApp flaw has been revealed by security researchers at the Black Hat conference 2019. The Facebook-owned messaging app is used by 1.5 billion users across the world, and the discovered vulnerabilities can be used to exploit the platform to manipulate chat messages. In simpler terms, the flaw can literally be used to put “words into your mouth.”
The vulnerabilities allow hackers to “intercept and manipulate messages sent in both private and group conversations, giving attackers the power to create and spread misinformation from what appear to be trusted sources,” the researchers noted.
Details of the WhatsApp vulnerabilities were discovered by an Israeli cybersecurity firm Checkpoint Research on August 7 at the conference. However, the researchers said they alerted WhatsApp about the flaws in August last year, and the company addressed only one of the below-mentioned three vulnerabilities:
In the first case, something written by some other person could be changed to appear as if it was written by you. Moreover, in the second, something written by you can be edited and altered when quoted by anyone else in the group chat. However, the original tech remains unchanged, but anyone viewing the quoted text will see the altered version. This one has been demonstrated in the video at the end of this article.
The third vulnerability relies on the fact that WhatsApp uses end-to-end encryption. Hence, a participant in the group can access the decrypted version of the messages. Basically, the researchers exploited the web version of WhatApp. As explained by TNW, “By obtaining the private and public key pair created before a QR code is generated, and the “secret” parameter that is sent by the mobile phone to WhatsApp Web while the user scans the QR code, the extension makes it easy to monitor and decrypt communications on the fly.”
According to Checkpoint Research, “WhatsApp fixed the 3rd vulnerability,” but “we found that it is still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources.”
In a reply given to TNW, Facebook said, “We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing the concerns raised by these researchers could make WhatsApp less private — such as storing information about the origin of messages.”
The real-life exploitation will not be a major problem for most users, but the more people in a chat, the greater the threat.
On Facebook’s end, the other two vulnerabilities could not be resolved due to “infrastructure limitations” on WhatsApp.
Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of Thinkdigit.com as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.
We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry.