WhatsApp Flaw Unpatched For Over A Year, Says Check Point

UPDATE:  A spokesperson for Facebook got in touch with Silicon and wished to provide the below by way of response to this story: 

“We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages.”

Original story below:

Researchers from Check Point have demonstrated a long-standing flaw with WhatsApp, that allows hackers to alter the text within quoted messages, so as to make it look as if a person had said something they did not.

The flaws was revealed at the Black Hat conference, and to make matters worse it seems that Facebook was informed about the vulnerability over a year ago but has failed to patch it.

In May this year mobile security specialist Wandera warned that most people had still not patched a serious WhatsApp vulnerability that was being actively exploited to implant advanced surveillance tools on users’ devices.

WhatsApp flaw

But now Check Point has detailed a new flaw that allows hackers to change the text of a message and the identity of the sender, a potentially dangerous flaw with all the fake news doing the rounds.

“Towards the end of 2018, Check Point Research notified WhatsApp about new vulnerabilities in the popular messaging application that would enable threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers the power to create and spread misinformation from what appear to be trusted sources,” said the security firm.

The researchers said there three possible methods of attack exploiting this vulnerability, all of which involve social engineering tactics to fool end-users.

Firstly, hackers could use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.

Secondly, the hackers could alter the text of someone else’s reply, essentially putting words in their mouth.

And thirdly the hacker could send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation.

WhatsApp apparently fixed the third vulnerability to do with private messages disguised as a public message for all.

“But, we found that it is still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources,” said Check Point.

It said that it had followed the process of responsible disclosure, but to demonstrate the severity of this vulnerability in WhatsApp, it created a tool that allows its researchers to decrypt WhatsApp communication and spoof the messages.

“These encryption processes caught our attention, and we decided to try to reverse the WhatsApp’s algorithm to decrypt the data,” said Check Point. “Indeed, after decrypting the WhatsApp communication, we found that WhatsApp is using the ‘protobuf2 protocol’ to do so.”

“By converting this protobuf2 data to Json we were able to see the actual parameters that are sent and manipulate them in order to check WhatsApp’s security,” Check Point said.

Patch often

This will be a disturbing development for many who believe that WhatsApp is secured, and security experts have been quick to point out ways users can protect themselves.

“WhatsApp is the most popular instant messenger in the world,” said Victor Chebyshev, security researcher at Kaspersky. “These security flaws found in the app are indeed very serious, as they could result in group chat participants being humiliated by false messages.”

“This does not mean that users should stop using WhatsApp, as, while security bugs are of course dangerous, they are not uncommon in any type of software,” said Chebyshev. “Yet, users should be very careful when contributing to group chats.”

“In case of any doubt during correspondence, confirm the author’s identity in a private chat,” he warned. “We strongly recommend keeping an eye on when WhatsApp updates are released and downloading new versions immediately to stay secure.”

Do you know all about security? Try our quiz!