WhatsApp appears to contain a series of vulnerabilities with which hackers can take over conversations. The vulnerabilities and three methods to abuse them were revealed this week by Check Point researchers Dikla Barda, Roman Zaikin and Oded Vanunu.
According to the researchers, the errors can enable hackers to intercept and manipulate messages in private and group conversations, writes ZDNet. It gives attackers a lot of power to make misinformation and spread it through what seem to be reliable sources.
The researchers revealed the vulnerabilities and exploits during the recent Black Hat conference in Las Vegas. The errors appear to have existed already for a year, even though WhatsApp was informed about them in 2018.
According to Facebook, the errors are the result of limitations that cannot be solved because of their structure and architecture.
Proof of concept
The researchers have made a tool as proof of concept, to make clear what the problem is. They think that the vulnerabilities are of the utmost importance and require attention.
There appear to be three ways of exploiting the problems. First of all, by using the quota function in a group discussion. This allows the identity of a sender to be changed, even if that person is not part of the conversation.
A reaction can also be adjusted. Finally, there is a possibility to send a private message to another member of a group conversation, which is actually masked as a public message. If someone responds to that message, everyone in the conversation can see the content.
Data decrypts
Check Point also tried to reverse WhatsApp’s algorithm to decrypt data and communication. The team was able to see the parameters sent between the desktop and mobile versions of the platform. This allowed them to develop the tool and carry out the attacks.
Facebook has now solved the problem where private messages are actually public messages. However, the other two errors seem to still exist.
Vanunu argues that the researchers chose to reveal the problems anyway, because this is a major problem with fake news and manipulation. It is an infrastructure that serves more than 1.5 billion users. We can’t put this aside and say, “Okay, this isn’t happening.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.