Researchers discover critical WhatsApp flaws: Should you be worried? | Tech News

Researchers discover critical WhatsApp flaws: Should you be worried?

WhatsApp said that it was false to suggest there is a vulnerability with the security the company offers on the instant messaging app.

| Updated on: Aug 20 2022, 16:21 IST
Researchers claim WhatsApp’s flaws can allow hackers to alter messages
Researchers claim WhatsApp’s flaws can allow hackers to alter messages (HT Photo)

Cybersecurity researchers at Check Point claim to have discovered multiple flaws in the popular instant messaging app WhatsApp. The three-pronged vulnerabilities allows hackers to spoof the identity of a sender, alter the text of someone else's reply, and send a private message to a group participate that's disguised as a public message.

Researchers developed a tool that enabled them to decrypt WhatsApp communication and spoof the messages. Researchers pointed out that they focused on reversing WhatsApp's algorithm to decrypt the data after analyzing how the messaging company encrypts the communication.

You may be interested in

MobilesTablets Laptops
7% OFF
Apple iPhone 15 Pro Max
  • Black Titanium
  • 8 GB RAM
  • 256 GB Storage
23% OFF
Samsung Galaxy S23 Ultra 5G
  • Green
  • 12 GB RAM
  • 256 GB Storage
Google Pixel 8 Pro
  • Obsidian
  • 12 GB RAM
  • 128 GB Storage
Apple iPhone 15 Plus
  • Black
  • 6 GB RAM
  • 128 GB Storage

Vulnerability 1: Altering the identity of a sender

Also read
Looking for a smartphone? To check mobile finder click here.

Researchers demonstrated that hackers can access encrypted traffic to impersonate another group member and then send it an extension to decrypt the content. Hackers can then reply to a spoofed message in a group, even though an original message to the reply never existed.

Vulnerability 2: Putting words in your mouth

The second vulnerability allows hackers to change the message sent by the sender back to himself. Researchers said thy exploited "fromMe" parameter used in WhatsApp messages. The parameter is essentially used to indicate who the original sender of a message is.


WhatsApp's response

WhatsApp rejected the Check Point study saying the hacks were not a vulnerability with the security protocols of the instant messaging app. The company said that the so-called vulnerability was akin to altering email replies.

"We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn't write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private - such as storing information about the origin of messages," said a WhatsApp spokesperson.

Security researchers share a screenshot of a spoofed message
Security researchers share a screenshot of a spoofed message (Checkpoint)
image caption
Security researchers share a screenshot of a spoofed message (Checkpoint)

Should you be worried?

The latest study reveals a complex but feasible method for hackers to conduct frauds through WhatsApp. Security experts suggest that users should be mindful of their messages in group messages. If they find anything suspicious, they should verify with the sender in a private chat.

Rahul Tyagi, Co-founder, Lucideus said, "WhatsApp can prevent this by addressing the vulnerabilities and fixing them which WhatsApp denied the existence of. In this scenario, Checkpoint has mentioned that they were able to create a decrypter by identifying the encryption that WhatsApp uses, denoting the possibilities of attackers gaining the same knowledge to create decrypter tools and intercept the users' messages."

Farrhad Acidwalla, founder of Cybernetiv Digital - Forward Thinking Analytics and Research, said, "Any security flaw if accessible to those with the mensrea to exploit it will be potentially detrimental to consumers and enterprises. These apparent Whatsapp vulnerabilities could permit malicious actors to spread fake news or put words in chats that victims never really said."

"Whatsapp seems to have known about some of these flaws for a while but hasn't pushed out the fixes. An official Facebook response compared these bugs to altering an email thread to change someone's words. Technologically, it makes sense that the chats are end-to-end encrypted and Facebook may feel like it cannot do much here as the exploit is coming from within one of the users' phones," he added.

"WhatsApp is the most popular instant messenger in the world. These security flaws found in the app are indeed very serious, as they could result in group chat participants being humiliated by false messages. This does not mean that users should stop using WhatsApp, as, while security bugs are of course dangerous, they are not uncommon in any type of software," said Victor Chebyshev, a security researcher at Kaspersky.

"Yet, users should be very careful when contributing to group chats. In case of any doubt during correspondence, confirm the author's identity in a private chat. We strongly recommend keeping an eye on when WhatsApp updates are released and downloading new versions immediately to stay secure," he added.

For now, users can block a sender who they think is trying to spoof messages. They can also report such behaviour to WhatsApp.

WhatsApp last year pointed out that it was possible for hackers to manipulate the "quote" feature but it was not a flaw related to its end-to-end encryption. "We carefully reviewed this issue and it's the equivalent of altering an email," a WhatsApp spokesperson had told The New York Times last year.

WhatsApp had said the offered fixes such as creating transcripts of every message exchange weren't worth considering as they would undermine the security standards of the app.


Catch all the Latest Tech News, Mobile News, Laptop News, Gaming news, Wearables News , How To News, also keep up with us on Whatsapp channel,Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.

First Published Date: 09 Aug, 11:47 IST