WhatsApp text messages could potentially be altered by hackers, security experts have revealed at the Black Hat cyber-security conference, which takes place each year in Las Vegas. Researchers from Check Point technologies showcased the vulnerabilities in the Facebook-own messaging app earlier this week. They had discovered the flaws in WhatsApp back in 2018 and had alerted the company of the same, though the ‘issue’ still remains.
Facebook in its statement to indianexpress.com said “We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages.”
The WhatsApp messages can be altered scenario is back in the news because the researchers have now presented their findings at Black Hat, which is a prestigious conference on cyber-security. According to the research done by Check Point’s experts, attackers can exploit these flaws in WhatsApp and intercept and alter messages on group and individual conversations.
The researchers insist that hackers could spread misinformation, which is already a serious problem on WhatsApp. Check Point’s Head of Products Vulnerability Research Oded Vanunu and Security Expert Roman Saikin revealed the vulnerabilities in WhatsApp, which they discovered by reverse engineering its web source code and decrypting its traffic. They were able to do this by creating their own Burp Suit Extension. Burp Suit is a program for testing security of web-based applications.
In this case, researchers created their own extension and were able to exploit the WhatsApp web and app connection. In order to use WhatsApp web, one needs to scan a QR code on their app.
According to the researchers, “by decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues.”
Based on their understanding, the team found that there are three ways of exploiting messages on WhatsApp and claim that these can be used to fool end-users.First is that someone can send a private message to another group participant, which is disguised as a public message for all. When the targeted individual responds, it’s visible to everyone in the conversation.
Another use case is where the ‘quote’ feature in a group conversation is used to change the identity of the sender, even if that person is not a member of the group.
Finally, the attackers can alter the text of someone else’s reply, essentially putting words in their mouth, according to the presenters. The technical details of their presentation along with examples of how it would work are also available on the Black Hat website here.
Keep in mind that WhatsApp’s end-to-end encryption is not compromised by this. WhatsApp is also reportedly working on its own standalone desktop as well.