The world's most popular messaging application, WhatsApp, which had received considerable flak over the dissemination of fake news last year, is in the eye of the storm once again with an Israeli cybersecurity firm uncovering new vulnerabilities on the platform. Check Point Software Technologies said in a report released on Wednesday that the firm had notified WhatsApp about new vulnerabilities in the app towards the end of 2018, which "would enable threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers the power to create and spread misinformation from what appear to be trusted sources".
The Check Point Research team claimed to have observed three possible methods of attack exploiting this vulnerability, all involving social engineering tactics to fool end-users. To begin with a threat actor could use the "quote" feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. Another method alters the text of someone else's reply, essentially putting words in their mouth. For instance, the team discovered that a message saying "Great!" sent by a member of a group could be changed to something else - they replaced it with "I'm going to die, in a hospital right now".
The third vulnerability enabled one to send a private message to another group participant disguised as a public message for all. In other words, when the targetted individual responded, it would be visible to everyone in the conversation. "In this way it is possible to manipulate a certain member of the group and 'trip them up' in order to have them reveal information to the group that they may otherwise not want them to know," the report stated.
"WhatsApp fixed the 3rd vulnerability which enabled threat actors to send a private message to another group participant disguised as a public message for all. But, we found that it is still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources," the firm said. That's worrying news indeed for the 400 million and counting WhatsApp users in India and over a billion users in other countries.
"The flaws could have significant consequences because WhatsApp has about 1.5 billion users, and is used for personal conversations, business communications and political messaging," Oded Vanunu, Check Point's head of products vulnerability research, told Bloomberg. He added that his company is working with WhatsApp, but the other problems were difficult to solve because of the messaging app's encryption.