WhatsApp, the most popular messaging application in the world, has been found vulnerable to multiple security vulnerabilities that could allow malicious users to intercept and modify the content of messages sent in both private as well as group conversations.
Discovered by security researchers at Israeli security firm Check Point, the flaws take advantage of a loophole in WhatsApp’s security protocols to change the content of the messages, allowing malicious users to create and spread misinformation or fake news from “what appear to be trusted sources.”
The flaws reside in the way WhatsApp mobile application connects with the WhatsApp Web and decrypts end-to-end encrypted messages using the protobuf2 protocol.
The vulnerabilities could allow hackers to misuse the ‘quote‘ feature in a WhatsApp group conversation to change the identity of the sender, or alter the content of someone else’s reply to a group chat, or even send private messages to one of the group participants (but invisible to other members) disguised as a group message for all.
In an example, the researchers were able to change a WhatsApp chat entry that said “Great!”—sent by one member of a group—to read “I’m going to die, in a hospital right now!”
It should be noted that the reported vulnerabilities do not allow a third person to intercept or modify end-to-end encrypted WhatsApp messages, but instead, the flaws could be exploited only by malicious users who are already part of group conversations.
Video Demonstration — How to Modify WhatsApp Chats
To exploit these vulnerabilities, the CheckPoint researchers—Dikla Barda, Roman Zaikin, and Oded Vanunu—created a new custom extension for the popular web application security software Burp Suite, allowing them to easily intercept and modify sent and received encrypted messages on their WhatsApp Web.
The tool, which they named “WhatsApp Protocol Decryption Burp Tool,” is available for free on Github, and first requires an attacker to input its private and public keys, which can be obtained easily “obtained from the key generation phase from WhatsApp Web before the QR code is generated,” as explained by the trio