Skip to main content

WhatsApp security flaws can fake messages from you, and there’s no fix

WhatsApp security flaws revealed by security researchers at this year’s Black Hat conference would allow someone to fake messages from you.

Check Point Research says that it found three different ways to exploit the vulnerability, including the ability to put words in your mouth…

The research team said that there are two different ways of making it appear you said something you didn’t.

A threat actor may:

  • Use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
  • Alter the text of someone else’s reply, essentially putting words in their mouth.

In the first case, something written by someone else could be changed to appear that it was written by you. In the second, something you did write can be freely edited when quoted by anyone else in the chat. The original text would remain unchanged, but anyone viewing the quoted text would see the doctored version. You can see this one demonstrated in the video below.

Additionally, Check Point found a way to fool you into mixing up public and private messages. Facebook was able to fix that one, but, worryingly, the company says it isn’t practical to fix the other two WhatsApp security flaws, even though it was told about them a year ago.

The problem is that WhatsApp uses end-to-end encryption. The vulnerability relies on the fact that a participant in the group can, of course, access the decrypted version of the messages. However, Facebook cannot, so says it is unable to intervene in this kind of within-chat attack.

TNW explains how the attack works.

The researchers exploited the web version of WhatsApp that allows users to pair their phone using a QR code.

By obtaining the private and public key pair created before a QR code is generated, and the “secret” parameter that is sent by the mobile phone to WhatsApp Web while the user scans the QR code, the extension makes it easy to monitor and decrypt communications on the fly […]

Once the web traffic — containing details like participant details, the actual conversation, and a unique ID — is captured, the researchers said the flaws allowed them to spoof message replies, alter message content, and even “manipulate the chat by sending a message back to the sender on behalf of the other person, as if it had come from them.”

The risks of real-life exploitation will be low for most people. However, the more people in a chat, the greater the risk, so biggest threat here are large groups where the approach could be used to disseminate disinformation which would then be forwarded by other people.

An upcoming change in iOS 13 will limit what messaging apps like WhatsApp can do while running in background mode, but wouldn’t have any impact on this issue.

FTC: We use income earning auto affiliate links. More.

OnlyBrush Smart Dental Travel Kit
You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear