Facebook’s popular instant messaging app WhatsApp has yet another series of flaws that could let attackers alter your messages. The flaws have been made public recently by CheckPoint researchers at the on-going Black Hat Conference. The demo was just a follow-up to the already WhatsApp vulnerability research paper published last year by the firm.
One flaw involves WhatsApp’s message quoting feature, by changing the sender of the message even if he/she is not a participant of the group. The second flaw involves alteration of a reply in what the researcher’s term as to “put words in people’s mouths.”
The third flaw is a trick that duped users into thinking they are replying to a public group message “masked” as a private one hence letting users in the group see the whole conversation. No need to worry about the last one, it was already patched by Facebook.
Most importantly, these flaws do not interfere whatsoever with WhatsApp’s end-to-end encryption.
“You can completely change what someone says,” Mr Vanunu, one of the researchers said. “You can completely manipulate every character in the quote.”
Facebook was already aware of the bugs, but the company failed to act on them last year because “limitations that can’t be solved due to their structure and architecture.” Facebook admitted that patching the remaining flaws could render major usability problems to the app.
Despite the sheer limitations of ironing the bugs that Facebook blamed on Android, CheckPoint researchers believe the flaws need attention. CheckPoint told the BBC, “There is a big problem with fake news and manipulation … We cannot like put it aside and say: ‘Okay, this is not happening.'”
(Updated 9th August 2019: Facebook response included)
In response to the matter, a Facebook spokesperson said, “We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp.”
“The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write.
“We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages.”