WhatsApp is one of the world’s most popular messaging applications. The Facebook-owned app has over 1.5 billion users in over 180 countries. Estimates state that the typical WhatsApp user checks the app more than 23 times a day. Despite this, the app’s user base is only expected to grow.
However, in today’s digital age, digital security has become a major concern. This is especially so as of late with huge scandals involving compromised online security being brought to light recently. Even the parent company, Facebook, was embroiled in a major security breach scandal recently.
Given all the chatter, the potential for online scams, rumours and fake news is huge. Potential threat actors have an additional weapon in their arsenal to leverage the messaging platform for their malicious intentions.
Towards the end of 2018, Check Point Software Technologies’ research team notified WhatsApp about new vulnerabilities that have been found in the messaging application through extensive research and testing. These vulnerabilities could potentially allow malicious actors to intercept and manipulate messages sent in both private and public conversations, thus proliferating the spread of misinformation and fake news from otherwise trusted sources.
The Check Point team identified three possible methods of attack that exploits the vulnerability, all of which utilise social engineering as a means to fool other users. These three methods include:
1. Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
2. Alter the text of someone else’s reply, essentially putting words in their mouth.
3. Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation.
As of now, WhatsApp have been able to remedy the third method of attack, but it is still possible the utilise the remaining two to spread misinformation.
Check Point’s research team was able to find these vulnerabilities by decrypting WhatsApp’s communication. As is well-known, WhatsApp encrypts every message, picture, call, video or any other type of content you send so that only the recipient can see it. WhatsApp does not have the ability to view these messages.
By decrypting the communication and tinkering with the protocols within the app, the team was able to manipulate messages as long as they were able to get the private and public key the chat session. According to the team, obtaining said keys was a feat that was not too difficult as well.
By decrypting the WhatsApp communication, the Check Point team was able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This enabled them to then manipulate the parameters and start looking for security issues.
Check Point has informed WhatsApp of the vulnerabilities and have advised the company that the issue is of utmost importance and require their undivided attention.
For a more detailed explanation as to how WhatsApp’s encryption process works and how the messages can be manipulated, please click here.