Check Point Software Technologies Ltd says it has found flaws in the WhatsApp messaging app that hackers could potentially exploit to manipulate messages in private or public conversations. This news was reported in Bloomberg Cybersecurity. If this is possible, it could have serious consequences on private and public security. The privacy of individuals could also be compromised. Threat post reports that reasearchers at the Black Hat USA 2019 conference demoed how known vulnerabilities in WhatsApp could still be exploited in several attacks that manipulate chats.
Check Point said its researchers found three potential ways to alter conversations. One uses the “quote” feature in a group conversation to change the appearance of the identity of a sender. Another lets a hacker change the text of someone else’s reply. And the other, which has been fixed, would let a person send a private message to another group participant disguised as a public message to all, so when the targeted individual responded, it was visible to everyone in the conversation.
“We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp,” a spokesperson for Facebook Inc., which owns WhatsApp, said in an emailed statement. “The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages.”
Oded Vanunu, Check Point’s head of products vulnerability research, feels the flaws could have serious consequences. WhatsApp has about 1.5 billion users worldwide. It is used not just for personal conversations but also for team collaboration in business. Governments also use WhatsApp for government to citizen communication. Groups have misused WhatsApp to spread misinformation leading to riots and public chaos in some countries. Check Point is an Israeli software company that provides security solutions such as firewalls, security gateway appliances, and other security solutions for networks, the cloud and for mobile platforms.
Check Point said it alerted WhatsApp about the flaws late last year. But the company said only one of the flaws — disguising a private message as one that becomes visible to an entire group — has been addressed. Vanunu said his company is working with WhatsApp, but the other problems were difficult to solve because of the messaging app’s encryption.
This is not the first time that WhatsApp bugs are being reported.
Symantec stated the security flaw, dubbed Media File Jacking, affect WhatsApp for Android by default, and Telegram for Android if certain features are enabled. The flaw, if exploited, allows the attackers misuse and manipulate sensitive information like personal photos and videos, corporate documents, invoices, and voice memos, Symantec stated.
