WhatsApp cannot seem to catch a break! With the Indian government breathing down their necks because of recent events involving fake news it is now being reported that due to a security flaw Whatsapp messages can be intercepted and altered.
Encryption is not enough?
This flaw was uncovered by Check Point Research –a research firm that focuses on cyber threats- who we will refer to as CPR going forward. Surprisingly, the encryption which is constantly brought up as a reason why WhatsApp is safe is where the problem actually lies.
CPR researchers decided to try and reverse the algorithm Whatsapp uses to encrypt data. They did this in hopes of decrypting the data. The protocol that WhatsApp uses for encryption (protobuf2 protocol) was converted to another format (Json) and voila, the messages could be read.
Here is the video of the hack in action;
In the event of an attack what are the outcomes?
In a blog post and as shown in the video above, Check Point disclosed some of the nature of attacks that can be carried out:
- Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Alter the text of someone else’s reply, essentially putting words in their mouth.
- Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.
Whatsapp will probably act quickly…
The news has already started spreading and CPR themselves did inform WhatsApp of the vulnerability:
Following the process of Responsible Disclosure, Check Point Research informed WhatsApp of their findings. From Check Point Research’s view, we believe these vulnerabilities to be of the utmost importance and require attention.
Knowing how serious the conversation about fake news is right now, I would like to think this is something that will be patched as quickly as possible. With something like this out in the wild it makes it even harder for fake news to be contained since perpetrators can hide behind this bug and claim ignorance of spreading inaccurate information or they could indeed be abused and have their messages altered. This is a serious flaw and one WhatsApp should definitely take care of immediately.
One response
This is a half penned article. You have successfully spread some #scareware and never bothered to tell all your readers the requirements for the hack to be successful. This is one hack not easy to do beacause the required private key can only be obtained from the key generation phase from #WhatsApp Web before the #QR code is generated