WhatsApp: Check Point's Flaw Findings Don't Merit PatchesMessages Can Be Manipulated, But Fixes Would Pose Privacy Risks, WhatsApp Says
Check Point says it has found three ways to falsify and manipulate messages in WhatsApp, which the security company claims could be employed by scammers and used to spread fake news.
But WhatsApp, which is owned by Facebook, disputes that the issues are vulnerabilities and says it has no plans to amend its software.
Claims of security vulnerabilities in WhatsApp tend to draw wide attention because the messaging app is used by 1.5 billion people per month. Unlike Facebook's Messenger product, WhatsApp engenders greater trust because it uses end-to-end encryption to protect transmitted content.
Check Point casts its findings as "disturbing," saying "we believe these vulnerabilities to be of utmost importance and require attention."
But a WhatsApp spokesman tells The New York Times the issues are "the equivalent of altering an email." The app works as intended, and it is possible to manipulate it, WhatsApps acknowledges. But the fix - verifying every message on the platform - would either create enormous privacy risks or hamper its performance.
The New York Times reports that neither company has seen attempts to use the attacks described by Check Point in the wild.
To get inside of how WhatsApp works, Check Point discovered how to decrypt messages. By decrypting the data, Check Point could then see the parameters that are sent around a message, such as who sent it, timestamps and what type of device it was sent from, among many others.
The researchers also developed an extension called the WhatsApp Decoder for Burp Suite, which allows for quick manipulation of messages.
In one attack, Check Point alters a message sent by a fictitious boss. The boss says the attacker has been granted a $500 raise. The attacker takes the message and creates a second one that changes the raise to $1,500.
But one issue with this scenario is that the original message from the boss about the $500 raise is still visible in the message record, possibly raising suspicions.
Crafting Fake News
In another scenario, the attacker manipulates a message sent by the administrator of the group. An altered message is then played back to the group, which appears as a quote coming from the administrator.
Check Point says this is an example of how so-called "fake news" could be spread using WhatsApp. It's not a far-fetched scenario because false information circulating on WhatsApp has been identified as possibly fueling violence, most recently in India.
The messaging app was used to spread inaccurate information that individuals in certain communities in India were looking to harvest organs from people and kidnap children, according to The Independent, a U.K. newspaper. The rumors tragically led to five men being lynched in early July.
WhatsApp limits the number of people in a group to 256. And following the violence in India, WhatsApp said in mid-July it would impose a limit on the number of chats that can be forwarded on to five.
Also in July, WhatsApp said it would label forwarded messages in an attempt make it clearer to the recipient whether the message came from a friend or someone else.
Check Point's last attack scenario involves concealing a message from someone who is part of a group. But the response to the hidden message is revealed to all, prompting confusion and possibly inadvertent disclosure of information.
The company contends that in larger WhatsApp groups where many messages are sent, it is "less likely a member would have the time or inclination to double check every message to verify its authenticity, and could easily be taken in by the information they see."
Check Point contends in a separate blog post: "As already seen by spam emails that fake the sender's name to appear to be from a source the receiver trusts, this latest vulnerability would allow for similar methods to be used though from a totally different attack vector."
A Feasible Attack?
But the key to whether the attack scenarios could actually be used depends on how easy it is for attackers to replicate Check Point's research.
Check Point managed to reverse engineer WhatsApp's encryption algorithm, a feat that could prove difficult for less skilled attackers. Still, if someone manages to do that and release the information publicly, it could make such message manipulations possible.
But WhatsApp told the New York Times that if it detects anyone using a modified version of the app to spoof the service, it would remove them from the platform.