Researchers revealed that security vulnerabilities in WhatsApp can allow hackers to intercept and manipulate user messages. Read on to know more…
Researchers from Israeli security company Check Point have identified three attack modes in WhatsApp which can be exploited to intercept and manipulate users’ messages. Apparently, these security issues were revealed to WhatsApp last year. However, they remain exploitable even after one year.
Security Issues
The three possible attack modes leverage social engineering tricks to fool users and to spread false information to different WhatsApp groups. These security issues could have various consequences such as the hackers can disguise a private message as a public message and send it to a participant of a group. This causes the ‘private’ response from the targeted individual to be visible to everyone in the conversation.
Hackers can also use the ‘quote’ function of a group conversation to change the identity of the message sender, who is not even a member of the group and attackers can alter someone’s reply or message and add bogus data into it.
As of August 7, WhatsApp has only fixed the first security issue and is believed that attackers can leverage the other two security vulnerabilities to spread online scams, rumors, and fake news.
Latest Investigation
At the recent Black Hat cybersecurity conference 2019 held in Las Vegas, security researchers from CheckPoint reverse-engineered WhatsApp’s web source code to successfully intercept and manipulate private messages. In a presentation titled “Reverse Engineering WhatsApp Encryption for Chat Manipulation and More,” Roman Zaikin, a security researcher, and Oded Vanunu, head of products vulnerability research, both at Check Point, explained the process in detail. Elaborating on the security vulnerabilities in WhatsApp, researchers at Check Point pointed out that they had created a tool to decrypt communications on WhatsApp. When they reversed its algorithm to decrypt the data, they found that the messaging platform was using the protobuf2 protocol for encryption. When they converted the protobuf2 data to JSON (JavaScript Object Notation) — a data interchange format — they saw the secret parameters for the messages which they were able to manipulate.
In an official blog post, the researchers warned that the security vulnerability can be exploited in three ways. First, by spoofing a reply message to put words in someone’s mouth. In this case a hacker can manipulate a chat by sending a reply message to himself so he can modify the content and then send the message back to the group. The second attack can be carried out by changing the identity of a sender in a group chat by using the quote feature even if he is not a member of the group.
Mitigation
“These security bugs are of course dangerous, but they are not uncommon in any type of software. Yet, users should be very careful when contributing to group chats. In case of any doubt during correspondence, confirm the author’s identity in a private chat,” said Victor Chebyshev, security researcher at Kaspersky. He also recommends that users should keep an eye on WhatsApp updates and download new versions immediately to stay secure as many of the updates can be patches for such vulnerabilities.
