Check Point cybersecurity researchers say they have found a number of flaws in the popular instant messaging app WhatsApp. Tripartite vulnerabilities allow hackers to deceive the sender, change the text of someone else's response, and send a private message to a group that is disguised as a public message.
CheckPoint researchers claim to have informed WhatsApp about the vulnerabilities in 2018. The instant messaging company only corrected the third vulnerability while leaving the other two vulnerabilities exposed to hackers.
The researchers developed a tool that allowed them to decrypt WhatsApp communication and broadcast messages. The researchers said they focused on reversing WhatsApp's data decryption algorithm after analyzing how a communications company encrypts communication.
Vulnerability 1: Change sender identity
Researchers have demonstrated that hackers can access encrypted traffic to impersonate another member of the group and then send it an extension to decrypt the content. Hackers can then respond to a forged message in a group, although the original reply message never existed.
Vulnerability 2: Put words in your mouth
The second vulnerability allows hackers to modify the message sent by the sender back to it. The researchers said you were using the "fromMe" parameter used in WhatsApp messages. The parameter is essentially used to indicate who is the original sender of the message.
WhatsApp rejected the Check Point survey, saying hacks were not a security vulnerability with the instant messaging application's security protocols. The company said the so-called vulnerability was similar to changing email responses.
"We carefully reviewed this issue a year ago and it is incorrect to assume that there is a security vulnerability we provide at WhatsApp. The scenario described here is simply the mobile equivalent of changing the replies in an email subject to make it look like something a person did not write. We need to keep in mind that dealing with the problems raised by these researchers can make WhatsApp less private – like storing information about the origin of messages, "said a spokesman for WhatsApp.
Security researchers share a screenshot of a fraudulent message
Do you have to worry?
The latest study reveals a complex but feasible method for hackers to commit fraud through WhatsApp. Security experts suggest that users should consider their messages in group messages. If they find something suspicious, they should check with the sender in a private chat.
Rahul Tyagi, co-founder, Lucideus, said: "WhatsApp can counteract this by addressing the vulnerabilities and repairing them, for which WhatsApp denied existence. In this scenario, Checkpoint mentioned that they were able to create a descriptor, identifying the encryption used by WhatsApp, pointing to the ability of attackers to gain the same knowledge to create tools to decrypt and intercept user messages. "
"If WhatsApp wanted to address and prevent this, then the privacy feature that WhatApp promises would be affected, as it would have to store user information to identify the validity of messages communicated between users," he added.
Farrhad Acidwalla, founder of Cybernetiv Digital – Forward Thinking Analytics and Research, said: "Any security flaw, if accessible to those who have the messenger, can use it can be detrimental to consumers and businesses. These apparent vulnerabilities of Whatsapp can allow malicious participants to spread fake news or put words in chats that victims have never said. "
"Whatsapp seems to have known about some of these shortcomings for some time, but it did not remove the fixes. An official Facebook response compared these errors with changing the email thread to change someone's words. Technologically, it makes sense that chats are end-to-end encrypted, and Facebook may feel that it can't do much here because the operation comes from one of the users' phones, "he added.
"WhatsApp is the most popular messenger in the world. These security gaps discovered in the app are really very serious as they can lead to humiliation of participants in a group chat of fake messages. This does not mean that users should stop using WhatsApp because, while security errors are, of course, dangerous, they are not uncommon in any type of software, "said Viktor Chebishev, a security researcher at Kaspersky.
"Still, users have to be very careful when engaging in group chats. In case of doubt during correspondence, confirm the identity of the author in a personal chat. We highly recommend keeping track of whatsapp updates are available and downloading new versions immediately to stay safe, "he added.
For now, users can block a sender who they believe is trying to scam messages. They may also report such behavior to WhatsApp.
WhatsApp said last year that hackers could manipulate the "quo" feature, but this is not a drawback of end-to-end encryption. "We have carefully reviewed the issue and it is the equivalent of changing the email," a WhatsApp spokesman told The New York Times last year.
WhatsApp said the proposed fixes, such as creating transcripts of every messaging, are not worth considering as they will undermine the security standards of the application.
August 09, 2019 11:47 AM IST