Facebook leaves flaw in WhatsApp unresolved for a year
Hackers found way to change message content and sender
Facebook blamed WhatsApp’s flaws on “limitations that can’t be solved due to their structure and architecture”, Oded Vanunu of Check Point said. Photograph: Thomas White/Reuters
Researchers at security software company Check Point said in August last year that they had discovered ways in which a malicious actor could alter messages in WhatsApp, “essentially putting words in [someone’s] mouth”, and also change the identity of the sender of content in a group chat.
But WhatsApp, which was bought by Facebook in 2014, has failed to resolve the issue, which remains today, Check Point said.
Speaking at the Black Hat cyber security conference, Oded Vanunu, head of product vulnerability research at the security company, said Facebook blamed WhatsApp’s flaws on “limitations that can’t be solved due to their structure and architecture”.
Check Point said it had now launched a tool that would allow users to carry out the manipulations, in order to raise greater awareness of the issue.
Facebook has begun introducing some restrictions to WhatsApp following mounting concerns over the ease with which the messaging app can be used to spread misinformation and fake news.
In July 2018, WhatsApp started to notify users when messages had been forwarded by a sender, rather than just composed by them, after a spate of lynchings in India – including 17 fatalities – were alleged to have been sparked by false and inflammatory WhatsApp rumours.
Earlier this year, the company also limited to five the number of recipients a user could forward a message to, down from 20.
Check Point last year uncovered three ways in which WhatsApp’s messaging system could be manipulated, one of which Facebook resolved.
However two remain. In one scenario, an attacker could change the identity of a sender in a group chat, impersonating another member of that group or even creating a non-existent group member, by using the “quote function” whereby a user reposts a message when responding to it.
In another, an attacker could reply to a message using the quote function and make it appear as if that message had originally been something different.
A malicious actor would not have to crack Facebook’s end-to-end encryption in order to do this, Mr Vanunu said, adding that the process was “not so complex to perform”. – Copyright The Financial Times Limited 2019