Even as rumours on WhatsApp have been linked to dozens of deaths in India, the Facebook-owned messaging app is yet to address a security flaw pointed out a year ago by Check Point, the Israeli security software firm said.
According to security researchers, this vulnerability could be exploited in three ways, all of which involve social engineering tactics to fool end-users.
First, a bad actor could use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
Second, they could alter the text of someone else’s reply, essentially putting words in their mouth.
Third, a private message could be sent to a group participant disguised as a public message and when the targeted individual responds it becomes visible to everyone in the conversation.
Check Point said it informed WhatsApp in 2018 about the vulnerabilities, which would enable threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers power to create and spread misinformation from what appears to be trusted sources.
Notably, WhatsApp fixed the third vulnerability, which enabled threat actors to send a private message to a group participant disguised as a public message for all.
But it was still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources, said Dikla Barda, Roman Zaikin and Oded Vanunu, Security Researchers at Check Point, at the annual Black Hat security conference in Las Vegas.
In a statement to IANS, a Facebook spokesperson said it reviewed the issue a year ago and found that it was “false to suggest there is a vulnerability with the security we provide on WhatsApp”.
“The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private — such as storing information about the origin of messages,” the spokesperson said.
To demonstrate the severity of the vulnerability, Check Point even created a tool that allows it to decrypt WhatsApp communication and spoof the messages.
“WhatsApp is the most popular instant messenger in the world. These security flaws are indeed serious, as they could result in group chat participants being humiliated by false messages,” Victor Chebyshev, security researcher at Kaspersky, told IANS.
“This does not mean that users should stop using WhatsApp. While security bugs are dangerous, they are not uncommon in any type of software. Yet users should be careful when contributing to group chats.
“In case of any doubt during correspondence, confirm the author’s identity in a private chat. We recommend keeping an eye on when WhatsApp updates are released and downloading new versions immediately to stay secure,” Chebyshev said.