Israeli cybersecurity firm says Whatsapp flaw allows hacking of messages
Check Point says weakness in popular messaging app enables attackers to modify and send false missives to individuals and groups
Israeli cybersecurity firm Check Point Software Technologies said Wednesday it had uncovered a security flaw in Whatsapp, that could allow hackers to modify and send fake messages in the popular social messaging app.
Check Point said the vulnerability gives a hacker the possibility “to intercept and manipulate messages sent by those in a group or private conversation” as well as “create and spread misinformation.”
It said the flaw allows bad actors to use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group; to alter the text of someone else’s reply, essentially putting words in their mouth; to send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.
Hackers could use such weaknesses for various criminal activities, causing personal and financial harm to users worldwide.
Check Point’s Oded Vanunu said the company had notified Whatsapp of the issues, but the latter had responded that it could not immediately fix the matter due to the way the app is constructed.
“Since people have been murdered in India and Brazil due to fake Whatsapp messages, and since Whatsapp is admissible evidence in courts around the world, we decided we couldn’t keep it to ourselves,” he said.
“Whatsapp has long since stopped being simply an app — it has become an infrastructure that serves institutions, organizations, schools and industry.”
Check Point could not say whether the flaws had been taken advantage of thus far.
A Whatsapp spokesperson said: “We carefully reviewed this issue and it’s the equivalent of altering an e-mail to make it look like something a person never wrote.
“This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp.”
The app noted it recently placed a limit on forwarding content, added a label to forwarded messages, and made a series of changes to group chats in order to tackle the challenge of misinformation.
The report of the flaw comes as the Facebook-owned company is coming under increasing scrutiny as a means of spreading misinformation due to its popularity and convenience for forwarding messages to groups.
Last month, the app announced limits of forwarding messages following threats by the Indian government to take action after more than 20 people were butchered by crazed mobs after being accused of child kidnapping and other crimes in viral messages circulated wildly on WhatsApp.
Founded in 2009 and purchased by Facebook in 2014, WhatsApp said that at the beginning of the year it had more than 1.5 billion users who exchanged 65 billion messages per day.