An Israeli security company has discovered a way to edit messages in WhatsApp conversations.
The problem was discovered by a team of security experts at Check Point Research.
Investigators alerted WhatsApp to the existence of three bugs affecting private and public messages last year, but have claimed only one of them was plugged.
Check Point said a hacker can:
- Alter the text of someone else’s reply to a group chat, essentially putting words in their mouth.
- Use the ‘quote’ feature in a group conversation to change the identity of the sender, to make it appear as if it came from a person who is not even part of the group. By doing this, it would be possible to incriminate a person or close a fraudulent deal, for example.
- Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation. This bug has been fixed.
The exploit involves hacking the Whatsapp algorithms which encrypt messages so that only the sender and recipient can see them.
It was first revealed last year but is in the news again after Roman Zaikin, a security researcher, and Oded Vanunu gave a talk called ‘Reverse Engineering WhatsApp Encryption for Chat Manipulation and More’ at the Black Hat conference.
Laying all the information out in a technical document released last year, the team explained: ‘By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues.’
The team at Check Point research say they have ‘notified WhatsApp of the flaws’ and that the company has ‘acknowledged’ them but that it is part of the app’s design framework.
A spokesperson from WhatsApp said: ‘We carefully reviewed this issue and it’s the equivalent of altering an email to make it look like something a person never wrote. This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp.
‘We take the challenge of misinformation seriously and recently placed a limit on forwarding content, added a label to forwarded messages, and made a series of changes to group chats.
‘We ban accounts that attempt to modify WhatsApp to engage in spammy behavior and we are working with civil society in several countries to educate people about fake news and hoaxes.’