Science

Flaw in WhatsApp: Your messages can be manipulated by hackers

10 Aug 2018 | By Shiladitya Ray
WhatsApp security flaw allows hackers to manipulate messages

Researchers from security firm Check Point have discovered a flaw in WhatsApp that could allow hackers to intercept and manipulate content of WhatsApp messages in both private and group chats.

With over 1.5 billion users on WhatsApp, the security flaw could be exploited to massively expand the outreach of fake news, warned Check Point.

So, what is this security flaw? We explore.

In context: WhatsApp security flaw allows hackers to manipulate messages

10 Aug 2018Flaw in WhatsApp: Your messages can be manipulated by hackers

DiscoveryFirst of all, how the researchers found the security flaw

It's common knowledge that WhatsApp chats are end-to-end encrypted, so that no one apart from a receiver (not even WhatsApp) can view a message.

This encryption process caught Counter Point's attention, and researchers decided to reverse WhatsApp's algorithm and decrypt the data.

They found that WhatsApp used a particular protocol, 'protobuf2', and by converting protobuf2 data to the JSON format, they found disturbing insights.

Love Tech news?
Stay updated with the latest happenings.

Decrypting WhatsApp data opened new doors, says Counter Point

"By decrypting the WhatsApp communication, we were able to see all parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues," said Counter Point.
How the security flaw can be exploited by malicious actors

Attack scenariosHow the security flaw can be exploited by malicious actors

Check Point detailed three attack scenarios.

Malicious actors could use the group chat 'quote' feature to alter the identity of a sender, even if that person isn't in the group.

Hackers could also alter the text of someone else's reply.

Finally, hackers could send a private message to a group participant that is disguised as a public message, making any reply to it public.

WhatsApp's responseSo, what does WhatsApp have to say about it?

Check Point notified WhatsApp of its findings.

Meanwhile, in a statement to The New York Times, WhatsApp acknowledged that the quote feature could indeed be exploited, but denied that it was a flaw.

WhatsApp explained that its end-to-end encryption was working as intended, and the trade-off to prevent such deception by individually verifying every message could lead to massive privacy risks, and sluggish service.

ImplicationsThe gloomy implications of the security flaw

Regardless, the gloomy implications of the 'security flaw' loom large.

With over 1.5 billion users, one billion groups, and 65 billion messages being sent every day on WhatsApp, the potential for online scams and the proliferation of fake news is already high owing to the clutter.

Now, with additional tools in their arsenal, malicious actors might be even more tempted to exploit the platform.

Love Tech news?
Stay updated with the latest happenings.

Fake newsFake news on WhatsApp is increasingly becoming dangerous

This is particularly disturbing, given recent incidents surrounding the propagation of fake news on WhatsApp.

In India, nearly 30 people have died in the past few months owing to the circulation of fear or mass hysteria-inducing fake news on WhatsApp.

In Brazil, fake news on WhatsApp has been dissuading people from taking Yellow Fever vaccines, which is on the rise in the country.

EffortsWhatsApp's efforts to curb fake news could be wasted

WhatsApp has been taking steps against the propagation of fake news in India, and has recently introduced a limit on forwarded messages, a 'forwarded' label, and is currently working on identifying suspicious links.

However, in light of this discovery, these efforts could go to waste if hackers were to exploit the flaw to increase the propagation of such fake news.