Facebook-owned social messaging app WhatsApp is popular for its interesting features. WhatsApp has 1.6 billion users as per stats of 2018. More than 65 billion messages are sent on WhatsApp every day. No doubt WhatsApp is right now top trending communication app. WhatsApp is widely praised for its security and user privacy.
However recently some false news spread through WhatsApp forwarded messages caused serious tension in India. After those incidents, WhatsApp makes its services more strick to share the false news. Forwarded messages were limited to a certain number of chats. Well coming back to the point. Recently CheckPoint claimed to find a flaw in WhatsApp. Let’s have a look at the flaw.
The flaw in WhatsApp messenger:
The CheckPoint is an Isreal cybersecurity firm, founded in 1993. Recently CheckPoint claims that there are some vulnerabilities in WhatsApp that allow the hackers to manipulate messages. This can be done in both personal chat and group chat as well.
Exploiting this vulnerability an attacker can spread a huge misinformation among sender and recipients. They posted on their research forum discussing the vulnerability in detail. They said, “Our team observed three possible methods of the attack exploiting this vulnerability – all of which involve social engineering tactics to fool end-users.”
While discussing the advantages of this vulnerability, CheckPoint explained that using this flaw, the attacker can change the identity of the sender using the ‘quote’ feature in a group chat. He can manipulate with the identity of a person even if that person is not a member of the group.
Not only this but also the attacker can alter the text of the sender. He can change the reply of the sender putting his own reply instead. The attacker can also send a private message to any group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.
Here is the demonstration video by CheckPoint explaining how this flaw is used to exploit WhatsApp users’ messages.
WhatsApp’s response to the report:
WhatsApp also replies to the claim of CheckPoint. WhatsApp states in the reply of this vulnerability “We carefully reviewed this issue and it’s the equivalent of altering an email to make it look like something a person never wrote.” Since there were many questions on WhatsApp’s end-to-end encryption after this report. But WhatsApp clarifies this saying: “This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp.”
As if we look at WhatsApp’s track record of encountering such flaws. It’s possible that in future updates WhatsApp fixes it too.