WhatsApp issue lets users manipulate chats to ‘put words in people’s mouths’

Security flaw means people can alter the text of someone else's reply, 'essentially putting words in their mouth'

Anthony Cuthbertson
Thursday 08 August 2019 19:58
Comments
In a group conversation Whatsapp users can change the identity of a sender
In a group conversation Whatsapp users can change the identity of a sender

Security researchers have discovered a security vulnerability with WhatsApp that allows messages to be manipulated in group chats.

In a blog post detailing their findings, Check Point Research said the security flaw means people can edit someone's reply, "essentially putting words in their mouth".

The Facebook-owned messaging app, which has over 1.5 billion users around the world, is yet to properly fix the bug, despite Check Point Research notifying WhatsApp in 2018. WhatsApp has been contacted for comment.

When the vulnerabilities were first discovered, Facebook likened the issue to "altering an email" to make it look like something a person never wrote.

"This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp," the technology giant said.

"We take the challenge of misinformation seriously and recently placed a limit on forwarding content, added a label to forwarded messages, and made a series of changes to group chats."

The researchers found three possible methods of attack by exploiting the issue. The first involves using the 'quote' feature in a group conversation to change the identity of the sender.

The second is to alter the text of a person's rely, while the third involves sending a private message that actually appears as a public message.

Check Point said only the third of these vulnerabilities has so far been fixed by WhatsApp, despite these issues being of "the utmost importance" and requiring immediate attention.

"Given all the chatter, the potential for online scams, rumours and fake news is huge," Check Point Research wrote in a blog post.

"Threat actors have an additional weapon in their arsenal to leverage the messaging platform for their malicious intentions."

Check Point’s head of products vulnerability research, Oded Vanunu, told The Independent: "Instant messaging is a vital technology that serves us day-to-day, we manage our private and professional life on this platform and it’s our role in the infosec industry to alert on scenarios that might question the integrity. WhatsApp was very responsive, but took few actions, including fixing one of the manipulation scenarios."

The cyber security firm built a custom tool to take advantage of the flaw, which was demonstrated at the Black Hat conference in Las Vegas this week.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in