A cyber-security firm in an interesting revelation has discovered a flaw in WhatsApp that allows scammers to alter the content or change the identity of the sender of a previously delivered message. Hackers can create a hacked version of the WhatsApp and change the “quote” to give an impression that someone sent a message they did not actually send.
WhatsApp acknowledged that anyone can manipulate the Quote feature, but the company didn’t agree on as a flaw. According to the research firm, the vulnerability so far allows for three possible attacks; Changing a reply from someone, Quoting a message in a reply to a group conversation to make it appears as if it came from a person who is not even part of the group, and finally, Sending a message to a member of a group that pretends to be a group message but is in fact only sent to this member, but the member’s response will be sent to the entire group.
However, WhatsApp said that the system was working as intended since the trade-off to prevent such a deception by verifying every message on the platform would create an enormous privacy risk or bog down the service. it also ensured that it worked to find and remove anyone using a fake WhatsApp application to spoof the service. It simply turned down the concerns raised by Check Point, saying most people know the person who they are messaging on the service.
The company said 90 percent of all messages are exchanged one-on-one, and the majority of groups are six people or less thus making it less likely that an unknown person can infiltrate a conversation with an aim to trick other users in the group. WhatsApp also said that the potential fixes to this issue are not worth trying, but offers one solution, to create transcripts of every message exchange to verify the accuracy of every quote.
Oded Vanunu, Check Point’s Head of Product Vulnerability Research said:
Given WhatsApp’s prevalence among consumers, businesses, and government agencies, it’s no surprise that hackers see the application as a five-star opportunity for potential scams. As one of the main communication channels available today, WhatsApp is used for sensitive conversations ranging from confidential corporate and government information, to criminal intelligence that could be used in a court of law.
Carl Woog, a spokesman for WhatsApp, in a statement said:
We carefully reviewed this issue and it’s the equivalent of altering an email. What Check Point discovered had nothing to do with the security of WhatsApp’s so-called end-to-end encryption, which ensures only the sender and recipient can read messages.