WhatsApp is an instant messaging platform that prides itself on encryption and security, but a flaw revealed by researchers during the annual Black Hat conference could potentially allow anyone to fake messages that appear to have come from you.
There are three different ways to exploit this new vulnerability according to Check Point Research, including two which would make messages appear as if they were from someone else.
A threat actor may:
- Use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Alter the text of someone else’s reply, essentially putting words in their mouth.
Check Point says that it was also able to find a way to fool users into confusing private and public messages, although Facebook has already been able to resolve that issue. Oddly, Facebook was also told about the other flaws a year ago but it believes that it isn’t practical to fix them. The presence of end-to-end encryption is ironically getting in the way of Facebook’s attempts to fix the problem, as noted by TNW.
The researchers exploited the web version of WhatsApp that allows users to pair their phone using a QR code.
By obtaining the private and public key pair created before a QR code is generated, and the “secret” parameter that is sent by the mobile phone to WhatsApp Web while the user scans the QR code, the extension makes it easy to monitor and decrypt communications on the fly […]
Once the web traffic — containing details like participant details, the actual conversation, and a unique ID — is captured, the researchers said the flaws allowed them to spoof message replies, alter message content, and even “manipulate the chat by sending a message back to the sender on behalf of the other person, as if it had come from them.”
Most people are unlikely to be at risk from such security flaws, especially when they only have chats with people they know and trust. But as chat groups grow, the potential for foul play increases.
You may also like to check out:
- Best Galaxy Note 10 / 10+ Plus Case List: Here Are The Must-Haves For Protection
- Best Galaxy Note 10 / 10+ Plus Screen Protector? Here Are Our Picks [List]
- iOS 13 Beta 6 Profile File Download Without Developer Account On Your iPhone Or iPad
- Download iOS 13 Beta 6 IPSW Links And OTA Profile Update
- Jailbreak iOS 12.2 Using Unc0ver 3.3.0 IPA
- Install WhatsApp Web On iPad Thanks To iOS 13 And iPadOS 13
- 100+ iOS 13 Hidden Features For iPhone And iPad [Running List]
- How To Downgrade iOS 13 / iPadOS 13 Beta To iOS 12.3.1 / 12.4
- iOS 13, iPadOS Compatibility For iPhone, iPad, iPod touch Devices
- Download iOS 13 Beta 1 IPSW Links & Install On iPhone XS Max, X, XR, 8, 7, Plus, 6s, iPad, iPod [Tutorial]