WhatsApp is an instant messaging platform that prides itself on encryption and security, but a flaw revealed by researchers during the annual Black Hat conference could potentially allow anyone to fake messages that appear to have come from you.

There are three different ways to exploit this new vulnerability according to Check Point Research, including two which would make messages appear as if they were from someone else.

A threat actor may:

  • Use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
  • Alter the text of someone else’s reply, essentially putting words in their mouth.

Check Point says that it was also able to find a way to fool users into confusing private and public messages, although Facebook has already been able to resolve that issue. Oddly, Facebook was also told about the other flaws a year ago but it believes that it isn’t practical to fix them. The presence of end-to-end encryption is ironically getting in the way of Facebook’s attempts to fix the problem, as noted by TNW.

The researchers exploited the web version of WhatsApp that allows users to pair their phone using a QR code.

By obtaining the private and public key pair created before a QR code is generated, and the “secret” parameter that is sent by the mobile phone to WhatsApp Web while the user scans the QR code, the extension makes it easy to monitor and decrypt communications on the fly […]

Once the web traffic — containing details like participant details, the actual conversation, and a unique ID — is captured, the researchers said the flaws allowed them to spoof message replies, alter message content, and even “manipulate the chat by sending a message back to the sender on behalf of the other person, as if it had come from them.”

https://www.youtube.com/watch?v=rtSFaHPA0C4

Most people are unlikely to be at risk from such security flaws, especially when they only have chats with people they know and trust. But as chat groups grow, the potential for foul play increases.

(Via: TNW | Source: Check Point Research)

You may also like to check out:

You can follow us on Twitter, or Instagram, and even like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple, and the Web.

Related Stories