Security Experts Warn of Serious Whatsapp Vulnerabilities
According to cybersecurity researchers weaknesses in the cross-messaging app allow malicious actors to intercept and manipulate messages sent in a group chat.
Cybersecurity experts at Check Point, a leading provider of cyber threat intelligence, have discovered a serious vulnerability within WhatsApp that allows cyber attackers to create and spread misinformation under the guise of being a trusted source via group chats. The researchers say that these unscrupulous individuals could impersonate participants of the group chat and even alter potential legal evidence.
This ability to manipulate WhatsApp data is very worrying as increasingly police are turning to phone data to investigate suspects. Earlier this year, a drugs gang was convicted from a photograph spotted by police among a stream of WhatsApp messages going back months. With over one billion WhatsApp groups, there is plenty of scope for attackers to make use of these underhand tactics.
According to Check Point, the problem relates to communications between the mobile version of WhatsApp and the web-based version: “By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues. This resulted in us being able to carry out a variety of attack types.”
Three Types of Attacks Uncovered
The first attack involved changing the identities of a sender in a group chat, even if they were not a member of the group, “to impersonate someone from the group, all the attacker need do is catch the encrypted traffic.” The attacker would use the “quote” feature in a group conversation to change the identity of the sender.
The second type of attack involves changing a correspondent’s reply to put words in their mouth, “In this attack, the attacker is able to manipulate the chat by sending a message back to himself on behalf of the other person, as if it had come from them. By doing so, it would be possible to incriminate a person, or close a fraudulent deal, for example.”
The third attack type sees the attacker send a private message to another group participant disguised as a public message for all, so when the individual responds, it is visible to the whole group. The researchers said: “In this way, it is possible to manipulate a certain member of the group and ‘trip them up’ in order to have them reveal information to the group that they may otherwise not want them to know.”
Cyber threat expert and partner at Red Goat Cyber Security, Lisa Forte commented to DIGIT: “If this is true it has serious implications for privacy and personal security. You would certainly need to be more cautious regarding who you are talking with. If your words could be changed you could be incriminated for a Crime or your reputation could be destroyed.”
Before going public with these findings Check Point made WhatsApp aware of the issue so that the company can take measures to protect their 1.5bn users from such manipulations. Already, WhatsApp has been hit by numerous big cyber scams such as fake Costa Coffee vouchers -which stole users’ bank details- to election tampering in India via the proliferation of fake news. Hopefully, this newly uncovered vulnerability will help to encourage the platform, which is owned by Facebook to better protect its users from cyber attackers.