Researchers have uncovered security shortcomings in WhatsApp that create a means for hackers to intercept and manipulate messages sent in both private and group conversations.
Protocol decryption cleared the path to chat manipulation, boffins at Israeli security firm Check Point discovered.
Researchers at Check Point first converted WhatsApp’s (encrypted) protobuf2 data to Json. They then developed extensions to the popular Burp Suite that they claimed facilitated three manipulation methods, allowing them to:
- alter the text of someone else’s reply, essentially putting words in their mouth;
- use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group; and
- send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.
The white hat hackers said they’d found it was possible to fake messages and sow the seeds of all sorts of confusion. All the techniques involve social engineering tactics to hoodwink end users, as explained at some length in a blog post by Check Point here.
Kevin Bocek, chief cybersecurity strategist at machine identity protection vendor Venafi, told us: “This was a serious flaw and it’s made possible thanks to machine identities – encryption keys and digital certificates that enable privacy and authentication between our devices, apps, and clouds.”