WhatsApp. No matter what you think about the messenger, one has to admit that it is very popular. 1.5 billion users is a huge number. That’s why it’s even worse if an app like that sports security vulnerabilities – especially if it could mean that attackers could theoretically alter chat messages. It sounds as bad as it is and thanks to WhatsHack, a new WhatsApp vulnerability, it is entirely possible.
Who are you really talking to?
Just imagine the following: You are having a pleasant WhatsApp chat with a very good friend. All of a sudden the person starts cussing out of no reason and being mean and hurtful towards you. You are confused but no matter how you reply all you get back is more of the same. A quick call with your friend clears things up and he tells you that he didn’t write those messages. Would you believe him?
That’s something that could very well happen as a team of security researcher discovered. Apparently, a new WhatsApp vulnerability allows cybercriminals to:
- alter the text of someone else’s reply to a group chat, essentially putting words in their mouth.
- send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation
- use the ‘quote’ feature in a group conversation to change the identity of the sender, to make it appear as if it came from a person who is not even part of the group. By doing this, it would be possible to incriminate a person or close a fraudulent deal, for example.
Take a look at the video below to see how crazy efficient the manipulation seems to work.
Hard, but not impossible
Performing the attack is a bit more complicated, but hackers who for example really want to spread fake news could find a way to make it happen.
As everyone knows, WhatsApp messages are encrypted. That means that in order to wreak havoc a hacker must be able to first reverse engineer the algorithm and then decrypt the data – which is entirely possible as the researchers’ blog post points out.
They continue to say that “by decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues.”
WhatsApp is doing nothing
While being informed and aware of the issue, WhatsApp does not see it necessary to solve the issue. According to the New York Times, they feel that the discovery “has nothing to do with the security of WhatsApp’s so-called end-to-end encryption, which ensures only the sender and recipient can read messages”.
In the end, that means that one need to be more careful when it comes to trusting your WhatsApp messages. You can always check the validity of a quote by clicking on it. Do so if in doubt.