A flaw with WhatsApp has allowed hackers to develop a tool capable of changing the content of quoted messages.
The tool was created by cybersecurity researchers from Checkpoint and demonstrated at the Black Hat conference in Las Vegas this week. The tool takes advantage of two WhatsApp vulnerabilities which the Facebook-owned messaging service has not fixed since first discovered by Checkpoint in August 2018.
- WhatsApp spyware warning: All 1.5 billion users should update as soon as possible
- Logitech flaw lets hackers control your keyboard and mouse
- 20 Samsung SmartThings flaws left smart homes open to attack
While WhatsApp managed to fix a third flaw, the other two remain active. Checkpoint researchers said in a lengthy blog post this week: "We found that it is still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources."
The researchers created a tool which allows then to "decrypt WhatsApp communication and spoof the messages". If the tool, or one just like it, was to be used by a malicious actor, Checkpoint warns how they could "alter the text of someone else's reply, essentially putting words in their mouth."
As well as changing the content of a quoted message, it is also possible to change the name of the sending, essentially allowing a malicious actor to make anyone appear to say anything they like.
A third vulnerability discovered by Checkpoint in August 2018 made it possible to send a private message to another group participant that is disguised as a public message for all, so when the target replies (thinking they are sending a private message) it appears in the group chat.
This third flaw has been fixed by WhatsApp, Checkpoint says, but the other two are still active and might not be fixed any time soon. This is because the exploits are linked to how WhatsApp's encryption works, and that the company cannot see the content of messages sent between its users, making it impossible to verify their content.
Simply put, if WhatsApp cannot see the content of messages, it has no way of knowing if the message sent by one user is the same as the (potentially doctored) message received by another.