Critical security flaw in WhatsApp allows manipulation of messages

Critical security flaw in WhatsApp allows manipulation of messages

Critical security flaw in WhatsApp allows manipulation of messages

Security researchers at Checkpoint have revealed the existence of a critical security flaw in messaging platform WhatsApp that allows anyone to use specialised software to intercept and manipulate messages sent in both private and group conversations.

The researchers from Checkpoint demonstrated at Black Hat USA 2019 how a software tool could be used to intercept user communications from WhatsApp and how the tool could be employed to manipulate conversations such as altering the text of a user’s reply, or changing the identity of a user by using the ‘quote’ feature in a group conversation.

The researchers warned that the tool could be used by malicious actors to create fake news and perpetrate fraud by putting words in a person’s mouth. This is possible as the tool can alter the text within quoted messages to completely change the content or tone of the message.

“We managed to reverse engineer WhatsApp web source code and successfully decrypted WhatsApp traffic. During the process we translated all WhatsApp web functions to python and created Burpsuit extension that you can use to investigate WhatsApp traffic and extend in order to find vulnerabilities.

“During the process we unveiled new vulnerabilities that could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers immense power to create and spread misinformation from what appear to be trusted sources,” the researchers said.

Facebook yet to fix the year-old flaw in WhatsApp

While the fact that WhatsApp’s end-to-end encryption for user communications can be intercepted is bad enough, what’s worse is that the flaw has existed for over a year and Facebook has not been able to fix it due to “infrastructure limitations” on WhatsApp, security researcher Oded Vanunu told the BBC.

“The spreading of misinformation has been the cause of much controversary over the years and shows no signs of slowing down. This flaw, which could allow attackers to alter the messages being sent in WhatsApp, highlights not only the persistent privacy issues that consumers are facing, but also the challenge for developers,” says Stuart Sharp, VP of solution engineering at OneLogin.

“In these instances as it is impossible to determine – when creating these apps – how attackers are going to manipulate the software and with the evolving nature of such attacks, it’s nearly impossible to determine how attack vectors are changing. The onus of protecting users, and preventing the misuse of the platform however, still lies with WhatsApp, who must take every precaution to make sure these vulnerabilities are patched in a timely manner,” he adds.

Brian Higgins, security specialist at Comparitech.com, says that since Facebook have not fixed the vulnerability yet and don’t seem overly concerned, it’s down to the user community to apply a little critical thinking to their online activities and use other chat services until Facebook fix their code.

ALSO READ: Malicious spyware Skygofree caught reading encrypted WhatsApp message

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]