Even as rumours on WhatsApp have been linked to dozens of deaths in India, the Facebook-owned messaging app is yet to address a security flaw pointed out a year ago by Check Point, an Israeli security software firm.
According to security researchers, this vulnerability could be exploited in three ways, all of which involve social engineering tactics to fool end-users.
First, a bad actor could use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
Second, he/she could alter the text of someone else’s reply, essentially putting words in their mouth.
Third, a private message could be sent to a group participant disguised as a public message and when the targeted individual responds it becomes visible to everyone in the conversation.
Check Point informed WhatsApp in 2018 about the vulnerabilities, which would enable threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers power to create and spread misinformation from what appears to be trusted sources.
Notably, WhatsApp fixed the third vulnerability, which enabled threat actors to send a private message to a group participant disguised as a public message for all.
But it was still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources, said Dikla Barda, Roman Zaikin and Oded Vanunu, Security Researchers at Check Point, at the annual Black Hat security conference in Las Vegas.
When asked, WhatsApp said it had nothing to share officially.
“WhatsApp is the most popular instant messenger in the world. These security flaws are indeed serious, as they could result in group chat participants being humiliated by false messages,” Victor Chebyshev, security researcher at Kaspersky, told IANS.
“This does not mean that users should stop using WhatsApp. While security bugs are dangerous, they are not uncommon in any type of software. Yet users should be careful when contributing to group chats.
“In case of any doubt during correspondence, confirm the author’s identity in a private chat. We recommend keeping an eye on when WhatsApp updates are released and downloading new versions immediately to stay secure,” Chebyshev said.
To demonstrate the severity of the vulnerability, Check Point even created a tool that allows it to decrypt WhatsApp communication and spoof the messages.