Researchers at Check Point have found a vulnerability in popular messaging app WhatsApp that could possibly allow hackers to manipulate the messages being sent and thus spread misinformation. Hackers upon creating an altered version of WhatsApp will be able to change a “quoted” message to make someone they sent a message that was actually never sent.
The researchers discovered that by creating a hacked version of WhatsApp, attackers will be able to change the quoting feature. The quote is a way to reply to a particular message in a thread, with the original message tagged alongside. The purpose of such an attack will be to give someone an impression that someone sent a message that was never actually sent in the first place. The vulnerability poses a huge risk in scamming people into believing something and thus spreading fake information in the process.
According to Check Point, there are three possible ways to exploit WhatsApp’s quoting feature to fool users into believing fake news.
- Changing a reply from someone to put words into their mouth that they did not say.
- Quoting a message in a reply to a group conversation to make it appear as if it came from a person who is not even part of the group.
- Sending a message to a member of a group that pretends to be a group message but is in fact only sent to this member. However, the member’s response will be sent to the entire group.
What this means is hackers can alter someones reply not just in a two-person conversation inside WhatsApp but can also modify someone’s reply in a group chat. To worsen the problem even further, hackers will also be able to change the identity of a message’s sender when using the ‘quote’ feature. Another possibility is a hacker sending a public message disguised as a private message which when replied to, by the recipient, will show up on everyone’s chat within that group.
Amidst the wave of criticism regarding its fake news and misinformation, WhatsApp did eventually review the situation and admitted to The New York Times that such a scenario is indeed possible but played down the issue saying it’s not their flaw and it won’t fix it. Spokesperson for the company, Carl Woog said: “We carefully reviewed this issue and it’s the equivalent of altering an email” and indicated that WhatsApp’s end-to-end encryption isn’t of much help in this case. Woog also added that it’s impossible to authenticate each and every message sent by users and doing so will further worsen the security issues around the messaging service.
WhatsApp has already been criticised for not taking measures against the spread of fake news and misinformation and the latest news just adds to the burning question of whether the Facebook-owned company will do the needful in solving these issues once and for all.