Your encrypted WhatsApp messages could be the target of an elaborate scam, after a report found a vulnerability on the messaging service that gives threat actors the social engineering tools to manipulate end users.
FakesApp: A Vulnerability in WhatsApp by software technologies company Check Point details the vulnerability that allows for three possible attacks.
According to the report, actors can change the content of a message to “put words into the mouth” of a user, send a message to someone that looks like a group message but is actually a direct message and change the identity of a sender in a group chat.
“Given WhatsApp’s prevalence among consumers, businesses, and government agencies, it’s no surprise that hackers see the application as a five-star opportunity for potential scams,” said Check Point’s head of product vulnerability research, Oded Vanunu.
“As one of the main communication channels available today, WhatsApp is used for sensitive conversations ranging from confidential corporate and government information, to criminal intelligence that could be used in a court of law.”
Owned by Facebook, WhatsApp is well known for encrypting every message, picture, video and call sent over the service.
As part of its research, Check Point decrypted WhatsApp communications to reveal the security parameters put in place and how they can be manipulated.
To change a correspondent’s reply and put words into their mouth the attacker must manipulate the ‘fromMe’ parameter in the message.
The attacker can then capture the outgoing message before it is sent out, decrypt it, alter the content of the message and then re-encrypt the message, before sending it to the unknowing recipient.
Similarly, to change the identity of a sender in a group chat “all the attacker need do is catch the encrypted traffic,” details the report.
From there both the conversation and participant parameters can be altered, allowing for a variety of fake replies.
With 1.5 billion global users sending 65 billion messages daily, WhatsApp is already the target of a great number of scams and misinformation campaigns.
Over the past year in India, a number of hoax messages wrongly accusing certain individuals of child abductions have circulated on WhatsApp.
The circulation of these fake messages has resulted in the murders of more than 30 people, including five people being lynched in an incident last month.
WhatsApp is now working on a tool that tells users when a message has been forwarded to them rather than composed, in a bid to prevent similar incidents.