Researchers have discovered a flaw in WhatsApp which could allow the attacker to interpret and modify messages send to both private and group conversations.
WhatsApp is a Facebook-owned popular messaging application which has over 1.5 billion users sending 65 billion messages daily.
According to CheckPoint researchers “the new vulnerabilities in the popular messaging application that could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers immense power to create and spread misinformation from what appear to be trusted sources.” said in the post published by CheckPoint researchers.
Researchers discovered the vulnerability when they reversed the Whatsapp algorithm to decrypt the data. They decrypted a communication between a mobile version of WhatsApp and the Web version
Decrypting the data allowed them to see all the protocols which are used by WhatsApp for communication, allowing them to access it and convert it according to their wishes.
This could allow the attacker to manipulate the message and spread false messages.
There are three possible methods to exploit this vulnerability:
- Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Alter the text of someone else’s reply, essentially putting words in their mouth.
- Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.
Checkpoint said they notified Whatsapp about the issue and Whatsapp has responded in a statement that “We carefully reviewed this issue and it’s the equivalent of altering an email to make it look like something a person never wrote.
Whatsapp has recently restricted forwarding content, and also added a label for forwarded messages to limit the spreading of false news.
For more details regarding this issue, you can visit post published by CheckPoint researchers here.