Security Flaw Can Make Hackers Fake WhatsApp Messages, Researchers Said

There will always be imperfections, because after all, no product is perfect.

Security researchers have discovered that it’s possible for hackers to change the content on both a sent and received WhatsApp message. The flaw enables hackers to change quoted messages, to make it appear someone said something they didn't.

Check Point Software Technologies found that hackers can create an altered version of the WhatsApp app, which enables them to do this malicious deed. With the fake app, they can potentially fake message content, quote it back, and sow the seeds of all sorts of confusion.

The purpose of this attack would be to give someone the impression that someone sent a message that wasn’t actually sent.

In short, you could put words in people's mouths, claim the researchers.

All the techniques involve some social engineering tactics, as well as gaining the targeted users' public-private key pair from the real WhatsApp app, as explained in a blog post by Check Point's Dikla Barda, Roman Zaikin, and Oded Vanunu.

With some skills, trickery and custom extensions for popular network-packet-twiddling toolkit, hackers can:

  • Alter the text of someone's reply on the sender's phone, essentially putting words in their mouth.
  • Use the "quote" feature in a group conversation, and change the identity of the sender, even if that person is not a member of the group.
  • Send a private message to another group participant that is disguised as a public message for all, so when the targeted person responds, the message will be visible to everyone in the conversation.

This is regarded as a serious flaw, and it’s made possible thanks to machine identities - encryption keys and digital certificates that enable privacy and authentication between devices, apps, and clouds.

WhatsApp has been facing criticisms regarding the spread of fake news in several markets, especially in India where people lynched outsiders after a fake video of child kidnappers was forwarded many times on group chats.

The Facebook-owned company brought some fixes to stop this from happening again. This includes putting labels on forwarded messages, and limiting the number of times users can forward messages

As for the flaw that enables hackers to change the content of messages, for WhatsApp, it's possible to create a fix, but would burden the system. The fix should check the authenticity of all sent messages, which means that it should keep track on all 65 billion messages created per day, by its more than 1.5 billion users.

A fix would mean WhatsApp in disabling the end-to-end encryption made by the company's collaboration with Signal.

The company said that it has "carefully reviewed this issue and it’s the equivalent of altering an email." WhatsApp said that it's not a flaw, and it won't fix it. Instead, the company is working on a way to find and remove anyone who is using fake WhatsApp app.