A cybersecurity firm has revealed that a vulnerability found on the WhatsApp could allow hackers to “put words in people’s mouths”.

Check Point Research identified that threat actors could intercept and manipulate messages in both private and group conversations on the messaging app. This would enable attackers to spread misinformation.

Three attack methodologies exploiting the vulnerability has been observed, all of which use social engineering tactics. A threat actor can:

Change the identity of the message sender by using the “quote” function in a group conversation, even if that person is not a member of the group.
Alter the text of someone’s message and essentially put “words in their mouth”.
Send a private message to another group participant disguised as a public message for all, resulting in the targeted individual’s response becoming “visible to everyone” in the conversation.
With over 1.5 billion users and over one billion groups, these vulnerabilities have a significant impact on its users, and can be exploited for online scams, fake news and rumours.

“Threat actors have an additional weapon in their arsenal to leverage the platform for their malicious intentions.”

Check Point informed WhatsApp of their findings, and WhatsApp managed to fix the third issue (3), but due to “infrastructure limitations”, were unable to fix the other issues.

Check Point demonstrated the severity of the situation, by creating a tool that exploited the vulnerability, by decrypting WhatsApp communications and spoofing the messages.

Researcher Oded Vanunu from Check Point, was asked by the BBC why his team had created a tool to exploit the vulnerabilities. To which he responded:

“[WhatsApp] serves 30% of the global population. It’s our responsibility. There is a big problem with fake news and manipulation. It’s infrastructure that serves more than 1.5 billion users.

“We cannot like put it aside and say: ‘Okay, this is not happening.’”

Facebook and WhatsApp have yet to comment on the situation.

“This is a very serious issue that still hasn’t been addressed,” commented Stuart Peck, director of cybersecurity strategy at ZeroDayLab, “the integrity of messages received from trusted sources is vital if users are going to trust encrypted messaging services like WhatsApp.”

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.

comments powered by Disqus