A new WhatsApp vulnerability has been revealed by security researchers at the Black Hat conference 2019. Researchers from Israeli security company Check Point revealed that WhatsApp could be hacked to change the text of a message and the identity of the sender.
The Facebook-owned messaging app can be used to exploit the platform to manipulate chat messages. It allows the hackers to put words on the sender’s identity, enabling attackers to create and spread misinformation.
Such a WhatsApp bug was first marked last year when Vanunu, Zaikin and another researcher called Dikla Barda, managed to reverse engineer WhatsApp web source code and successfully decrypt the WhatsApp traffic.
“Towards the end of 2018, Check Point Research notified WhatsApp about new vulnerabilities in the popular messaging application, giving attackers the power to create and spread misinformation from what appear to be trusted sources.” – The researchers explained
The vulnerabilities that were marked are:
1. The app allows sending a private message to another group participant, disguised as a public message, resulting in the “private” response
2. The quote function that can be used to change the identity of the message sender
3. A method to enable the text of someone else’s reply to be altered to say whatever the attacker wants
As of now, WhatsApp has only fixed the first on that list.
“We carefully reviewed this issue a year ago, and it is false to suggest there is a vulnerability with the security we provide on WhatsApp,” a Facebook spokesperson says.
According to Checkpoint Research, WhatApp has fixed the third issue as well, but it is still possible to manipulate quoted messages and spread misinformation.