WhatsApp security snafu allows sneaky 'message manipulation'

You could put words in people's mouths, claim researchers

privacy

Researchers claim to have uncovered weaknesses in WhatsApp that can be exploited to manipulate messages in private and group conversations.

Eggheads at Israeli security firm Check Point this week described how, with some social engineering trickery and custom extensions for popular network-packet-twiddling toolkit Burp Suite, they can:

  1. Alter the text of someone's reply on their phone, essentially putting words in the other person's mouth.
  2. Use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
  3. Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.

Basically, you can tamper with messages received and stored on your device, quote them back to your mark, and sow the seeds of all sorts of confusion. All the techniques involve social engineering tactics to hoodwink marks, as well as obtaining your public-private key pair from WhatsApp, as explained at some length in a blog post by Check Point's Dikla Barda, Roman Zaikin, and Oded Vanunu right here.

There's also a video illustrating the approach, as embedded below.

Youtube Video

Kevin Bocek, chief cybersecurity strategist at machine identity protection vendor Venafi, told us: “This was a serious flaw and it’s made possible thanks to machine identities – encryption keys and digital certificates that enable privacy and authentication between our devices, apps, and clouds.”

El Reg asked Facebook-owned WhatsApp to comment, and we're yet to receive a response. We'll update this story as and when more information comes to hand. ®




Biting the hand that feeds IT © 1998–2018