14 DAY TRIAL // A trio of security vulnerabilities in Facebook-owned mobile messaging platform WhatsApp was demonstrated by security researchers as Check Point Research at the Black Hat conference, showing that with a successful attack, hackers can easily put words in your mouth.
The security experts revealed that Facebook was notified about these security flaws in late 2018, but until now, only one of them received a patch.
The other two are still out there and could be exploited by hackers.
Check Point Research says the three bugs allowed hackers to do the following (excerpt from their analysis published here):
| Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. |
| Alter the text of someone else’s reply, essentially putting words in their mouth. |
| Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation. |
No fix for two flaws
Out of these three, only the last one was fixed, as resolving the other two involves getting access to data that is otherwise locked.
Basically, the first two flaws allow a hacker to reply to a message in a group chat and change their names or the text in the quote. While the original message wouldn’t be modified, the text that is being replied to can be easily altered, essentially making it look like someone said something else.
Facebook can’t fix these bugs because WhatsApp uses end-to-end encryption and in a group chat, so only the participants to the discussion can see the decrypted messages. In other words, unless Facebook gets access to the decrypted chat, which the company claims is not happening, a patch can’t be implemented.
At this point, it’s not yet clear if Facebook is still working on a way to resolve the flaws or the company is just going to let them there for eternity.
