WhatsApp vulnerabilities allow hackers to put "words into your mouth."
The flaws were discovered by an Israeli cybersecurity firm, Checkpoint Research.
One of the three flaws were fixed by Facebook, but it is still vulnerable.
After discovering iOS flaws that let hackers break into iPhones by just sending a text, a WhatsApp flaw has been revealed by security researchers at the Black Hat conference 2019. The Facebook-owned messaging app is used by 1.5 billion users across the world, and the discovered vulnerabilities can be used to exploit the platform to manipulate chat messages. In simpler terms, the flaw can literally be used to put “words into your mouth.”
The vulnerabilities allow hackers to “intercept and manipulate messages sent in both private and group conversations, giving attackers the power to create and spread misinformation from what appear to be trusted sources,” the researchers noted.
Details of the WhatsApp vulnerabilities were discovered by an Israeli cybersecurity firm Checkpoint Research on August 7 at the conference. However, the researchers said they alerted WhatsApp about the flaws in August last year, and the company addressed only one of the below-mentioned three vulnerabilities:
- Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Alter the text of someone else’s reply, essentially putting words in their mouth.
- Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation.
In the first case, something written by some other person could be changed to appear as if it was written by you. Moreover, in the second, something written by you can be edited and altered when quoted by anyone else in the group chat. However, the original tech remains unchanged, but anyone viewing the quoted text will see the altered version. This one has been demonstrated in the video at the end of this article.
The third vulnerability relies on the fact that WhatsApp uses end-to-end encryption. Hence, a participant in the group can access the decrypted version of the messages. Basically, the researchers exploited the web version of WhatApp. As explained by TNW, “By obtaining the private and public key pair created before a QR code is generated, and the “secret” parameter that is sent by the mobile phone to WhatsApp Web while the user scans the QR code, the extension makes it easy to monitor and decrypt communications on the fly.”
According to Checkpoint Research, “WhatsApp fixed the 3rd vulnerability,” but “we found that it is still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources.”
In a reply given to TNW, Facebook said, “We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing the concerns raised by these researchers could make WhatsApp less private — such as storing information about the origin of messages.”
The real-life exploitation will not be a major problem for most users, but the more people in a chat, the greater the threat.
On Facebook’s end, the other two vulnerabilities could not be resolved due to “infrastructure limitations” on WhatsApp.
Follow Us
Digit NewsDesk
Digit News Desk writes news stories across a range of topics. Getting you news updates on the latest in the world of tech. View Full Profile
