Checkpoint Research has unearthed a new flaw in WhatsApp. The vulnerability can potentially allow people to fake messages. The worst part is that there is currently no fix for this issue.
According to the researchers, the vulnerability would enable threat actors to intercept and manipulate messages sent in private and also in the group. The flaw is likely to allow threat actors to spread misinformation and fake news on a larger scale. We have already seen how misinformation and fake news was used to sway the U.S elections in 2016.
The researchers have found three ways in which the threat actor can impersonate you and send messages. In all the three cases the recipient will feel that you have sent the message. Interestingly all the three methods include some degree of social engineering to fool the users. Below methods are used to spoof the end-users.
- Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Alter the text of someone else’s reply, essentially putting words in their mouth.
- Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation.
It is worth noting that WhatsApp has already fixed the third method. However, the researchers were still able to use quoted messages to manipulate and spread misinformation. The video below will give you a glimpse of how it is done. Checkpoint has already informed WhatsApp about the flaws.
In the above case, the original text will remain unaltered, however the quoted text changes. Apparently, the threat actor uses WhatsApp’s end-to-end encryption to its advantage. Meanwhile, a participant in the group can access decrypted versions of messages while Facebook cannot intervene. In other words, the company claims that it is helpless and cannot stop such attacks from happening.
A word of caution, it is advised to take a moment to read what is sent on WhatsApp. Be it news, or any other information, make sure you authenticate it before sharing or even believing in it. Have you been a victimized by WhatsApp scams? Let us know in the comments below.