Cyberattackers can change and manipulate your WhatsApp messages

8 Aug 2019

Image: diego_cervo/Depositphotos

A group of researchers at security firm Check Point has highlighted vulnerabilities in popular messaging app WhatsApp.

A newly discovered WhatsApp vulnerability could allow for threat actors to drastically alter messages on the popular platform.

Israeli security firm Check Point revealed in a briefing at the annual Black Hat security conference in Las Vegas, Nevada, that WhatsApp messages can be manipulated to change the content of a message and even the identity of the sender.

Threat actors can also send private messages to group participants and disguise them as public messages, meaning that the targeted individual’s response will be visible to everyone. This third vulnerability, however, has since been rectified. The other vulnerabilities have yet to be addressed and Check Point “found that it is still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources”.

In an attempt to convey the severity of the situation, Check Point even created a tool allowing it to decrypt communications on WhatsApp and spoof the messages.

“Instant messaging is a vital technology that serves us day to day. We manage our private and professional life on this platform and it’s our role in the infosec industry to alert on scenarios that might question the integrity,” said Oded Vanunu, head of products vulnerability research at Check Point and one of the researchers who discovered the vulnerabilities.

“WhatsApp was very responsive, but took few actions though, including fixing one of the manipulation scenarios. So, we decided to share the technical information and the scenarios during [this conference] to drive awareness,” he added.

The Check Point team highlighted the implications that these vulnerabilities could have for the spread of disinformation on social media, something that is already a flashpoint for the Facebook-owned platform.

However, WhatsApp has contested Check Point’s claim that these qualify as vulnerabilities.

A spokesperson from Facebook said: “The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages.”

The company also maintains that people have the option of blocking a sender who tries to spoof messages and that they can report problematic content to WhatsApp.

The messaging platform has been at the centre of a number of different misinformation controversies. In the past two years, according to the Washington Post, at least two dozen people in India have been killed in violent mobs incited by rumours spread on WhatsApp. India is the biggest market for the app, which has also been implicated in the spread of disinformation in the lead up to the country’s elections.

Person typing message on WhatsApp on phone. Image: diego_cervo/Depositphotos

Updated, 1:07 pm, 8 August 2019: This article was amended to include comments from a Facebook spokesperson.

Eva Short was a journalist at Silicon Republic