Checkpoint Research Released Video Demo of a Nasty WhatsApp flaw
WhatsApp, the $19.3 billion mobile instant messaging platform acquisition of Facebook four years ago in 2014, has finally acknowledged the critical bug in its “Quote” function. It is a bug which enables attackers to use a fake WhatsApp app to edit the previous message from contacts and pretends to be that contact to other users. The revelation of the flaw has been announced by CheckPoint Research in their official security blog.
WhatsApp developers have acknowledged the issue, but it will take some time to fix the problem, as it is highly integrated with their flagship feature “Quote” function. Checkpoint on another hand wants the Social Media giant to quickly issue a fixed version, as WhatsApp has 1.5 billion users this year, and many can fall to dangerous phishing attempts and social engineering attacks from greedy cybercriminals.
Pretending to be someone else is a very effective technique to extract valuable data from contacts, who believes that the malicious attacker of being their acquaintances, even if it is not. Deceptive information extraction can render the victim at the other end of the conversation to revealing personally identifiable information which will subject them to a nasty identity theft crisis.
“We carefully reviewed this issue, and it’s the equivalent of altering an e-mail to make it look like something a person never wrote. This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp. We carefully reviewed this issue and it’s the equivalent of altering an email,” said Carl Woog, WhatsApp’s spokesman.
Checkpoint researcher stressed: “Check Point Research, however, recently unveiled new vulnerabilities in the popular messaging application that could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers immense power to create and spread misinformation from what appear to be trusted sources.”
An official video from Checkpoint Research has been published in Youtube explaining the flaw. They posted it to reach their goal of educating the WhatsApp users and allowing them to be made more aware of the critical flaw. The Checkpoint Research blog post emphasized: “By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues.”
Dubbed by Checkpoint as “putting the words into my mouth” flaw, the security firm is highly motivated with persuading the WhatsApp team to take drastic measure at the soonest possible time to fix the bug. “In this attack, the attacker is able to manipulate the chat by sending a message back to himself on behalf of the other person, as if it had come from them. By doing so, it would be possible to incriminate a person, or close a fraudulent deal, for example,” concluded the blog.
In the case that the Facebook-owned mobile instant messenger company decide to issue a patch, the update will become available in the Apple App Store and Google Play Store.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.