Lawrence Abrams* says researchers have discovered a new way for attackers to manipulate conversations and alter messages in Facebook-owned WhatsApp.
With over 1 billion users and over 60 billion messages sent every day, Facebook-owned WhatsApp has had a problem with the spread of fake news and rumours.
Due to this they have had to put restrictions on the amount of times a particular message could be forwarded.
It now has gotten worse, as researchers from Check Point have figured out a way to manipulate conversations in order to modify existing replies that were received, quoting a message so it appears that it came from another user who may not be part of the group and sending private messages that can be seen by only one person in a group, but having their replies go to everyone in it.
“Given WhatsApp’s prevalence among consumers, businesses, and Government Agencies, it’s no surprise that hackers see the application as a five-star opportunity for potential scams,” Oded Vanunu, Check Point’s Head of Product Vulnerability Research said about these findings.
“As one of the main communication channels available today, WhatsApp is used for sensitive conversations ranging from confidential corporate and Government information, to criminal intelligence that could be used in a court of law.”
Using these techniques, attackers can manipulate conversations and group messages in order to change evidence and spread fake news and misinformation.
How the attacks work
As WhatsApp encrypts messages sent through the app, in order to determine how WhatsApp sends a message, they first had to decrypt the network request.
While messages between users are secure, a local client still needs to decrypt the message.
This allowed Check Point to reverse the encryption and then locally decrypt the network requests to determine how communication is done.
Now that they could see what variables were being used when a message is sent, they could start to manipulate the variables in order to see what could be changed or done.
This allowed them to discover that they could modify messages or change the way they appeared in order to confuse recipients.
“Then you can start to play with the parameters and try to attack the system as a normal web application without any encryption in the way,” Check Point researcher Roman Zaikin told Bleeping Computer.
Zaikin also told us that this vulnerability can only be carried out by users in a conversation and cannot be carried out by someone sniffing the network due to the encrypted communication.
* Lawrence Abrams is the creator and owner of BleepingComputer.com. He tweets at @LawrenceAbrams.
This article first appeared at www.bleepingcomputer.com.
