WhatsApp security issue: people can use your identity to chat your friends from their phone

The Black Hat conference this year which held on August 7, has uncovered a security flaw on WhatsApp, which allows someone to send messages on your behalf. You may not know that they have acted in your capacity nor will the recipient suspect that it was not you that chatted them up. Everything is done on the hijacker’s side without physically gaining access to your phone.

It is sad to hear this kind of news as WhatsApp is not a small platform, there are over 1.5 billion users across the globe. The vulnerabilities were discovered by a cybersecurity firm based in Israel, Checkpoint Research.

The team at Checkpoint did well to list out three possible ways WhatsApp users can be exploited.

As found on TNW, they are:

  • Manipulate WhatsApp’s quoting feature to make it look like someone had written something they had not.
  • Alter and reword the text of user’s response, thereby “putting words in their mouth.”
  • Trick users into sending a private message to one person, when — in reality — their reply went to a more public WhatsApp group.

The whole event didn’t happen overnight as the researchers informed WhatsApp over a year ago about the issues. The company only tackled the third item on the list and left the other two unsolved. Till date, they can be used by hackers for malicious purposes.

WhatsApp’s end-to-end encryption is playing a major role in the problem. The flaw comes about via the fact that a user in the group can have their hands on the decrypted version of the messages.

A demonstration was made during the conference using the Checkpoint’s Burp Suit Extension and they were able to exploit the web version of WhatsApp that allows users to pair their phone using a QR code. Watch below:

Leave a Reply

Your email address will not be published. Required fields are marked *