At the annual Black Hat security conference in Las Vegas, researchers from Israeli security company Check Point Software Technologies Ltd. said that they had found three potential ways to hack Facebook-owned WhatsApp to alter conversations and the identity of the sender. Check Point security researcher Roman Zaikin and Oded Vanunu, head of products vulnerability research, explained the process in a presentation entitled “Reverse Engineering WhatsApp Encryption for Chat Manipulation and More”. As of August 7, WhatsApp had only fixed one of the three vulnerabilities.
Check Point provides security for computer networks. In 2018, the cybersecurity firm identified flaws in the popular messaging app that could allow hackers to manipulate messages in both public and private conversations. The researchers said during their presentation, “Towards the end of 2018, Check Point Research notified WhatsApp about new vulnerabilities in the popular messaging application, giving attackers the power to create and spread misinformation from what appear to be trusted sources.”
The vulnerability that has been patched allowed hackers to send a private message to another group participant, disguised as a public message, so the private response would be visible to everyone in the conversation. The two that have not been fixed involves the use of the “quote” function of a group conversation to change the identity of the message sender and the ability to alter the text of someone else’s reply to whatever the attacker wants. Check Point said that it informed WhatsApp of its findings in the name of responsible disclosure.
A spokesperson for Facebook said in an emailed statement “We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages.”