This tool can intercept, manipulate texts on WhatsApp

Check Point security researchers demoed an encryption vulnerability found in WhatsApp messenger app at the ongoing Black Hat convention in Las Vegas.

This is said to be a followup report of the Check Point's cybersecurity report in 2018. Experts had discovered a threat in WhatsApp and also had developed a tool, which could intercept and manipulate text in the messenger app.

This vulnerability allows a malicious user to circulate fake news, create fraud and even completely change, every character in a quote, Check Point security expert said.

Check Point has informed the Facebook-owned company about the issue. 

Taking cognizance of the severity of the threat, WhatsApp has managed to fix it partially. But, text manipulation vulnerability remains a big threat.


WhatsApp text manipulation test; Picture credit: Check Point Research paper

Here are some of the ways, a hacker could hoodwink a WhatsApp user:
1) Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
2) Alter the text of someone else’s reply, essentially putting words in their mouth.
3) Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.

The company has managed to fix the above mentioned third vulnerability, which allowed a hacker to send the victim's private reply message illegally to all members of the group.

This seems to be a tricky situation, as it has come to light that WhatsApp's strict encryption 'protobuf2 protocol' doesn't allow the company to track message exchanged between the users. So, it's almost impossible for the company to know whether the message is intercepted and manipulated. 

"Given all the chatter, the potential for online scams, rumors, and fake news is huge. Threat actors have an additional weapon in their arsenal to leverage the messaging platform for their malicious intentions," Check Point report said.

“We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private - such as storing information about the origin of messages.”  Facebook spokesperson said

Also, the Facebook spokesperson noted if the company had to make changes as per Check Point experts, it would require WhatsApp to log all messages, which it does not want to do for the privacy of messenger app users

Also, it would make it impossible to deliver messages to groups when a single person was not connected to the internet (i.e. while on a plane), which would have serious usability problems; And also this would prevent the ability for users to quote reply a message sent prior to a new group member joining, which would also have problems.

"People always have the option of blocking a sender who tries to spoof messages and they can report problematic content to us. We also work to ban accounts trying to change WhatsApp and use it to spam users," the Facebook spokesperson noted.

Read more | WhatsApp brings new feature to messenger app to tackle fake news in India

Check out the Check Point's WhatsApp hack test video below:

This is a developing story. DH has sought a response from WhatsApp. Stay tuned.

Get the latest news on new launches, gadget reviews, apps and more on personal technology only on DH Tech.

Comments (+)