WhatsApp messages are encrypted so that they can only be seen by the recipient.
But the cybersecurity firm said its researchers managed to create a tool that allowed them to “decrypt WhatsApp communication and spoof the messages”.
“By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This enabled us to then manipulate them and start looking for security issues,” the firm said.
Check Point Research, however, recently unveiled new vulnerabilities in the popular messaging application that could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers immense power to create and spread misinformation from what appear to be trusted sources.
“In this attack, it is possible to spoof a reply message to impersonate another group member and even a non-existing group member,” the firm said.
The three possible methods of attack exploiting this vulnerability which checkpoint researcher found – all of which involve social engineering tactics to fool end-users. A threat actor can:
- Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Alter the text of someone else’s reply, essentially putting words in their mouth.
- Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.
Following the process of Responsible Disclosure, Check Point Research informed WhatsApp of their findings. From Check Point Research’s view, they believe these vulnerabilities to be of the utmost importance and require attention.
Hackers can also change the text of someone’s reply and send private messages disguised as public messages to members of a group chat, so the target’s response is visible to all the participants in the conversation.
“By doing so, it would be possible to incriminate a person, or close a fraudulent deal, for example,” the firm said.
A third vulnerability that has been fixed according to the firm involved allowing private messages sent to group members to be disguised as public.
“The three methods involve social engineering tactics to fool end-users,” the firm said.
“Instant messaging is a vital technology that serves us day-to-day, we manage our private and professional life on this platform and it’s our role in the infosec industry to alert on scenarios that might question the integrity,” Oded Vanunu, head of products vulnerability research at Check Point, was quoted by Forbes as saying.