WhatsApp vulnerabilities 'put words in your mouth,' lets hackers take over conversations

The bugs could be used to dictate your responses in conversations.
Written by Charlie Osborne, Contributing Writer

A series of vulnerabilities in WhatsApp which could permit hackers to tamper with conversations have been made public. 

On Wednesday, Check Point security researchers Dikla Barda, Roman Zaikin, and Oded Vanunu revealed three methods of attack exploiting these vulnerabilities. 

According to the team, the bugs "could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers immense power to create and spread misinformation from what appear to be trusted sources."

Speaking at the Black Hat conference in Las Vegas, Nevada, Vanunu said that the vulnerabilities have existed for a year, despite responsible disclosure in 2018.

Facebook said the WhatsApp bugs were due to "limitations that can't be solved due to their structure and architecture," according to the Financial Times

A tool, demonstrated at Black Hat, has now been developed by Check Point to further press the issue and act as a proof-of-concept (PoC). The researchers believe the vulnerabilities are "of the utmost importance and require attention."

See also: LokiBot malware now hides its source code in image files

There are three methods of attack which exploit the problems. The first allows hackers to use the "quote" feature in a group conversation to change the identity of a sender -- even if that person has not participated in a group chat. 

The second is the alteration of a reply, which the researchers describe as "essentially putting words in [a contact's] mouth."

The third is the sending of a 'private' message to another group participant which is actually masked as a public message, and so when responded to, everyone in a conversation can see the content. 

Check Point attempted to reverse WhatsApp's algorithm to decrypt data and communication. The team was then able to see the parameters sent between the desktop and mobile version of the platform, and this information allowed them to develop the tool and conduct the attacks. 

Full technical details of the decryption and spoofing tool, as well as possible attack vectors, can be found in Check Point's blog post

CNET: Hackers want you to be happy. People in a good mood are easier to trick, research says

At the time of writing, the private message to public message issue has been resolved by Facebook, but it is believed the two other exploits are still active. 

When asked why Check Point had developed the PoC and disclosed the problems, Vanunu told the BBC:

"[WhatsApp] serves 30 percent of the global population. It's our responsibility. There is a big problem with fake news and manipulation. It's infrastructure that serves more than 1.5 billion users. We cannot like put it aside and say: 'Okay, this is not happening.'"

TechRepublic: Businesses need to patch for BlueKeep to avoid another WannaCry

These attacks could theoretically be used to spread fake news and propaganda, a problem the platform is already attempting to tackle. In June, WhatsApp was criticized as the source of fake news circulating around the India, Brazil, Kenya, and the UK.

Political content, anti-vaccine videos and messages, rumors of child abductors, and fake news have all been spread through the platform. 

ZDNet has reached out to Facebook and will update if we hear back. 

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards