Researchers uncover WhatsApp flaw allowing message manipulation

8 Aug 2018

WhatsApp chat window open on a mobile phone. Image: Nadir Keklik/Shutterstock

Researchers at Israeli cybersecurity firm Check Point find new flaws in WhatsApp.

WhatsApp is the messaging app of choice for many, so the news that Check Point researchers have found problems in its system will pique the interest of a vast amount of people. The platform has a whopping 1.5bn users worldwide, with more than 65bn messages sent every day.

The newly identified flaw could potentially allow hackers to modify and send fake messages within WhatsApp, as well as create and spread misinformation.

The disclosure of the issue by Check Point comes at a pivotal time for the messaging platform, which has been scrutinised closely for its role in the dissemination of false news in places such as India and Brazil.

What is the issue?

According to Check Point, by exploiting vulnerabilities in communications between WhatsApp for mobile and the web version, a hacker could potentially:

  • Alter the text of someone’s reply, essentially putting words in their mouth
  • Use the ‘quote’ feature in a group conversation to change the identity of the message sender (this could make it appear as if it came from a person who is not even part of the group)
  • Send a private message to another group participant disguised as a public message for all. When the individual responds, it’s visible to all in the conversation

Decryption of messages allowed researchers to view the parameters used for communications and manipulate them into creating and sending fake messages.

WhatsApp downplays discovery

While it does acknowledge Check Point’s discovery, WhatsApp disagrees that it is a flaw. The company said: “We carefully reviewed this issue and it’s the equivalent of altering an email to make it look like something a person never wrote.

“This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp.”

WhatsApp added that it had recently placed a limit on forwarding content. It also added a label to forwarded messages to tackle the spread of false stories. A spokesperson for the company told The New York Times that the Check Point discovery was not related to its efforts to stop misinformation.

Head of vulnerability research at Check Point, Oded Vanunu, said: “The public relies on the integrity of the message.

“WhatsApp needs to adjust to prevent this simple manipulation.”

If you want to check the validity of a quote message, clicking on it will take you back to the spot in the chat where it was originally sent.

This will work unless the message was since deleted or you were not a member of the chat when the message was written.

WhatsApp chat window open on a mobile phone. Image: Nadir Keklik/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects