During the annual Black Hat security conference briefing, last August 7 in Las Vegas, researchers from Check Point, an Israeli security company disclosed how WhatsApp could be hacked to modify the text message as well as the identity of the sender. If this sounds very alarming, it is worth noting that these vulnerabilities were reported to WhatsApp last year. Surprisingly, it appears that these same vulnerabilities are still exploitable despite that it was revealed to WhatsApp a year ago.
During this year's presentation titled "Reverse Engineering WhatsApp Encryption for Chat Manipulation and More," security researchers from Check Point explained the WhatsApp attach in grave details. Check Point's Head of Products Vulnerability Research Oded Vanunu, and Security Researcher Roman Zaikin shared that the discovery began in 2018. They shared that it happened when they reverse-engineered the web source code of WhatsApp and successfully decrypted the app's traffic.
According to the team, while they were creating Burp Suite's extension, which is a web application testing tool, they discovered several vulnerabilities. Check Point identified three potential attack modes, all have something to do with the social-engineering tricks to deceive end-users and give the attacker the tools needed to manipulate and intercept WhatsApp messages. The researchers explained that towards the end of 2018, they notified WhatsApp about the latest vulnerabilities which give attackers the control to make and deploy misinformation from what seems to be trusted sources.
The three WhatsApp attack methods include the ability to send messages to another participant or group cloaked as a public message. This results in the private response from the directed person visible in the group conversation. Another method includes the use of the quote function of a group conversation to alter the identity of the sender of the message.
This could mean that the sender may not even a part of the group. The third method of WhatsApp attack allows the reply of someone else to be changed so the attacker can send whatever message he wants to send. According to the Check Point Team, since August 7, WhatsApp only fixed the first method.
Given the nature of the two remaining WhatsApp methods, there is a great chance for fake news, rumors, and online scams. The Israeli security company went as far as to say that attackers have an extra weapon to take advantage of the messaging platform for their deceitful intentions. However, despite the information given by Check Point to WhatsApp, it appears that these vulnerabilities are still prevalent in the messaging app.
