Cybersecurity researchers at Check Point claim to have discovered multiple flaws in the popular instant messaging app WhatsApp. The three-pronged vulnerabilities allows hackers to spoof the identity of a sender, alter the text of someone else’s reply, and send a private message to a group participate that’s disguised as a public message.
CheckPoint researchers claim they had informed WhatsApp about the vulnerabilities in 2018. The instant messaging company only fixed the third vulnerability while leaving other two vulnerabilities exposed to hackers.
Researchers developed a tool that enabled them to decrypt WhatsApp communication and spoof the messages. Researchers pointed out that they focused on reversing WhatsApp’s algorithm to decrypt the data after analyzing how the messaging company encrypts the communication.
Vulnerability 1: Altering the identity of a sender
Researchers demonstrated that hackers can access encrypted traffic to impersonate another group member and then send it an extension to decrypt the content. Hackers can then reply to a spoofed message in a group, even though an original message to the reply never existed.
Vulnerability 2: Putting words in your mouth
The second vulnerability allows hackers to change the message sent by the sender back to himself. Researchers said thy exploited “fromMe” parameter used in WhatsApp messages. The parameter is essentially used to indicate who the original sender of a message is.
WhatsApp rejected the Check Point study saying the hacks were not a vulnerability with the security protocols of the instant messaging app. The company said that the so-called vulnerability was akin to altering email replies.
“We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages,” said a WhatsApp spokesperson.
Security researchers share a screenshot of a spoofed message ( Checkpoint )
Should you be worried?
The latest study reveals a complex but feasible method for hackers to conduct frauds through WhatsApp. Security experts suggest that users should be mindful of their messages in group messages. If they find anything suspicious, they should verify with the sender in a private chat.
Rahul Tyagi, Co-founder, Lucideus said, “WhatsApp can prevent this by addressing the vulnerabilities and fixing them which WhatsApp denied the existence of. In this scenario, Checkpoint has mentioned that they were able to create a decrypter by identifying the encryption that WhatsApp uses, denoting the possibilities of attackers gaining the same knowledge to create decrypter tools and intercept the users’ messages.”
“If WhatsApp were to address and prevent this, then the privacy feature that WhatApp promises will be affected as it will have to store user information in order to identify the validity of the messages that are communicated between the users,” he added.
Farrhad Acidwalla, founder of Cybernetiv Digital – Forward Thinking Analytics and Research, said, “Any security flaw if accessible to those with the mensrea to exploit it will be potentially detrimental to consumers and enterprises. These apparent Whatsapp vulnerabilities could permit malicious actors to spread fake news or put words in chats that victims never really said.”
“Whatsapp seems to have known about some of these flaws for a while but hasn’t pushed out the fixes. An official Facebook response compared these bugs to altering an email thread to change someone’s words. Technologically, it makes sense that the chats are end-to-end encrypted and Facebook may feel like it cannot do much here as the exploit is coming from within one of the users’ phones,” he added.
“WhatsApp is the most popular instant messenger in the world. These security flaws found in the app are indeed very serious, as they could result in group chat participants being humiliated by false messages. This does not mean that users should stop using WhatsApp, as, while security bugs are of course dangerous, they are not uncommon in any type of software,” said Victor Chebyshev, a security researcher at Kaspersky.
“Yet, users should be very careful when contributing to group chats. In case of any doubt during correspondence, confirm the author’s identity in a private chat. We strongly recommend keeping an eye on when WhatsApp updates are released and downloading new versions immediately to stay secure,” he added.
For now, users can block a sender who they think is trying to spoof messages. They can also report such behaviour to WhatsApp.
WhatsApp last year pointed out that it was possible for hackers to manipulate the “quote” feature but it was not a flaw related to its end-to-end encryption. “We carefully reviewed this issue and it’s the equivalent of altering an email,” a WhatsApp spokesperson had told The New York Times last year.
WhatsApp had said the offered fixes such as creating transcripts of every message exchange weren’t worth considering as they would undermine the security standards of the app.
First Published: Aug 09, 2019 11:47 IST