WhatsApp is the world's largest cross-platform instant messaging application, connecting people from across the world with the power of the internet. One of many reasons WhatsApp is widely popular is due to its end-to-end encryption, which users believe safeguards their conversations from prying eyes and ears. What if that could not be entirely true?
An Israel-based cybersecurity firm, Check Point Research, discovered a critical flaw in WhatsApp that could allow hackers to manipulate messages as well as the sender's identity. As a result of this, hackers can spread misinformation and make it appear like the message is coming from an authentic source.
Researchers at the security firm found three attack modes that put WhatsApp users at risk. The exploit uses the "quote" feature in a group chat to change the content of the message and the identity of the sender, regardless of whether the member is a part of the group or not.
Hackers can change the content of the message in the quoted text. The original message will remain the same, but those who are looking at the quoted message will easily be fooled. The third attack mode allows hackers to send a private message to a contact in the group but when the recipient replies the whole group sees it.
Check Point Research shared a series of screenshots to show the exploit exists and users are vulnerable to the attack. The researchers used reverse engineering of the encryption WhatsApp uses to manipulate messages. The researchers also shared a video that shows how the attack works and how the end-users see it.
Using the vulnerability, researchers were able to decrypt a message, which is said to be protected by WhatsApp's end-to-end encryption. The app's high-end security is said to be rock solid and only the sender and the recipient of the message is allowed to read the message. In fact, even the company doesn't have to ability to intercept messages shared on the platform. But this vulnerability changes things and in a big way.
There's no word on whether the flaw has been exploited by hackers, but the researchers have informed WhatsApp about it. But WhatsApp is confident that no such vulnerability poses a risk to users.
"We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn't write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private, such as storing information about the origin of messages," a Facebook spokesperson told Forbes.