Saktanong - stock.adobe.com
Vulnerabilities in the WhatsApp cross-platform messaging app can be exploited to enable cyber attackers to intercept and manipulate group chat message, security researchers at Check Point have found.
This gives cyber attackers the ability to create and spread misinformation or fake news from what appear to be trusted sources, the researchers warn, adding that attackers could impersonate group chat participants and even alter potential legal evidence.
The vulnerabilities relate to communications between the mobile version of WhatsApp and the web-based version.
By exploiting these vulnerabilities, the researchers found that attackers could alter the text of someone else’s reply, use the “quote” feature in a group conversation to change the identity of the sender, and send a private message to another group participant disguised as a public message for all, so when the individual responds, it is visible to the whole group.
The researchers found the vulnerabilities by decrypting the communications between the mobile version of WhatsApp and the web-based version.
The web-based version of WhatsApp mirrors all messages sent and received from the user’s phone, which enabled researchers to see all the parameters that are used for WhatsApp communication, and manipulate them to create and send fake messages.
Check Point notified WhatsApp of the vulnerabilities before going public with their findings. “We believe these vulnerabilities to be of the utmost importance and require attention,” the researchers wrote in a blog post.
Read more about application security
- Application and device security under the spotlight.
- How to manage application security risks and shortcomings.
- Application security vulnerabilities are often known exploits.
- Better app security requires both designing security in and protecting it from without.
- How to craft an application security strategy that’s airtight.
With more than 1.5 billion users and more than one billion groups, the researchers said WhatsApp has already been used for a number of scams, such as fake supermarket and airline giveaways to election tampering.
With the ability to manipulate replies, invent quotes or send private messages pretending to be group ones, the researchers said scammers would have a far greater chance of success and have a powerful social engineering weapon in their arsenal to trick and manipulate people.
While there are no security products that can yet protect users from these types of deceptions, Check Point said there are several ideas to keep in mind to avoid being a victim of fake news and online scams:
- If something sounds too good to be true, it usually is.
- Misinformation spreads faster than the truth, so having multiple sources does not make it fact.
- Cross check what is on social media with a quick online search about an issue.