WhatsApp bug allows changing text of messenges and sender’s identity

At a Black Hat security conference, Check Point experts talked about a WhatsApp hack that could allow an attacker to modify text or the identity of the sender of the message.

The bad thing is that WhatsApp developers received information about these vulnerabilities last year. Nevertheless, no patch has yet been released, and the bugs themselves can easily be used in attacks on instant messenger users.

A Check Point study entitled “Reverse Engineering WhatsApp Encryption for Chat Manipulation and More” details the exploitation of security issues in WhatsApp.

“According to sources, WhatsApp, the Facebook-owned messaging application has over 1.5 billion users in over 180 countries. Given all the chatter, the potential for online scams, rumors and fake news is huge. Threat actors have an additional weapon in their arsenal to leverage the messaging platform for their malicious intentions”, — warn researchers.

It all began in 2018, when Roman Zaikin and Oded Vanunu experts reverse engineered the source code and were able to decrypt WhatsApp traffic. Then the experts discovered vulnerabilities in the messaging service.

In total, the researchers were able to identify three attack scenarios, each of which required the inclusion of social engineering to mislead users.

A threat actor may:

1. Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
2. Alter the text of someone else’s reply, essentially putting words in their mouth.
3. Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation.

According to experts, they fear that such bugs may be used to spread misinformation – a very popular problem these days, by the way.

In other words, attackers can say any thing on behalf of users.

Read also: For protection against hackers’ attacks, VBScript in Windows 7 and 8 will be disabled

Check Point experts even created a special tool with which you can successfully exploit the aforementioned security problems. But even this did not attract proper attention from the parent company – Facebook.

A statement by the Internet giant claims that the problems described by Check Point have nothing to do with pass-through encryption vulnerabilities.

“We carefully reviewed this issue and it’s the equivalent of altering an email to make it look like something a person never wrote. This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp”, — a WhatsApp spokesperson said.

Meanwhile, the Check Point team has posted a video that demonstrates the operation of the described security issues: