Researchers revealed a new tool that has exposed a flaw in WhatsApp in which users can manipulate messages and “put words in people’s mouths”.
Checkpoint, a cybersecurity firm, demonstrated how the tool could alter quotes and make it look like the sender had said something which they didn’t.
“It’s a vulnerability that allows a malicious user to create fake news and create fraud,” Researcher, Oded Vanunu, told the BBC. Continuing, “You can completely change what someone says…You can completely manipulate every character in the quote.”
This error could allow hackers to potentially embed malware into devices.
Mis-spread of information through WhatsApp has previously led to fatalities in India and Brazil however, the company has tried to deal with this issue by limiting the number of times that messages can be forwarded.
Specifications of the flaw
The statement from Checkpoint reveals what the researchers discovered in the fault. They say the three points of the defect are that people can: “Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. Alter the text of someone else’s reply, essentially putting words in their mouth.” And, “Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation.”
Facebook claims that they have fixed the third issue. But Vanunu commented that due to “infrastructure limitations” on WhatsApp, the other vulnerabilities would be much harder to fix and monitor.
In response to the discovery, Facebook has said, “We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp,”
They continue, “The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write…We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages.”
WhatsApp’s vulnerability was demonstrated recently at the cybersecurity conference, Black Hat, which takes place in Las Vegas.