Security flaws in WhatsApp, the Facebook-owned chat app with more than 1.5 billion users, could let hackers “intercept and manipulate” messages, researchers claim.
Experts from Israeli company Check Point said in a report on Monday that some bugs could let attackers “spread misinformation from what appear to be trusted sources.” Issues exist in how the mobile version of WhatsApp connects with WhatsApp Web, researchers suggested.
In an example provided in the technical paper, the team was able to change a WhatsApp message to display something completely unintended.
A chat entry that said “Great!” — sent by one member of a group — was changed to read: “I’m going to die, in a hospital right now!”
Check Point published a video to YouTube demonstrating the alleged flaws. WhatsApp — which was notified of the allegations — did not immediately respond to a request for comment.
WhatsApp is protected by end-to-end (E2E) encryption, meaning that the content of messages is only accessible to sender and receiver. The technology is designed to stop chats, photos, videos, voice messages, documents and calls from being intercepted.
“No one, not even us, has access to the content of your conversations,” WhatsApp says. Circumventing E2E is no small feat.
Check Point this week claimed to have found multiple methods of exploiting alleged flaws.
Each of the techniques, researchers conceded, had used social engineering tricks to help dupe users. The firm said it was able to decrypt some traffic and see “parameters” sent between the WhatsApp mobile app and the Web version, which uses a QR code to verify an account.
Another attack vector could allegedly abuse the app’s “quote” feature to make it look like someone had sent a message — even if that individual was never in the group chat.
Oded Vanunu, vulnerability research chief at Check Point, said: “Given WhatsApp’s prevalence, it’s no surprise hackers see the app as a five-star opportunity for potential scams.”
But WhatsApp informed Check Point that the suspected flaws were simply a part of the app’s design.
“We carefully reviewed this issue and it’s the equivalent of altering an email,” Carl Woog, a spokesman for WhatsApp, told the New York Times in a statement, dismissing the report.
There was no suggestion the technology behind WhatsApp had been compromised, and also no evidence to suggest WhatsApp messages were being hacked, altered or manipulated at scale. The chat app offers a two-step verification option for additional security on accounts.
Independent security expert Robert Pritchard told Newsweek that Check Point’s report was “confusing,” but said the demonstration appeared to show bugs exist — with major caveats.
Pritchard noted the scenario was “easy in the lab” but difficult in practice.
“I find it hard to see how this could be especially practical to exploit,” he explained. “They’ve extracted their own keys — which are presumably in memory on the device somewhere anyway.
“They do caveat themselves in the intro by saying that it relies on social engineering.
“It’s interesting, but I think some assumptions have been hand-waved over and (the fact) you can’t blindly trust everyone in a group chat does not seem like big news.”
“[Check Point’s) scenarios seemed a little far-fetched,” he continued. “If you wanted to spread confusion, screenshots and a paint app would presumably work just as well. It also relies on someone in the group chat being malicious.” He added: “I’d say WhatsApp is still secure.”
Previously, Check Point claimed hundreds of millions of WhatsApp and Telegram accounts were vulnerable to attack. At the time, WhatsApp found no evidence the issue had been abused.
Cyber experts have warned against overblowing security threats to WhatsApp.
In reaction to previous reporting about an alleged WhatsApp flaw last year, dozens of cyber researchers and academics co-signed an open letter warning about the dangers of exaggerating concerns. WhatsApp, they noted, is used by millions of people to talk securely — and spreading fear about a widespread hack can put individuals’ safety at risk in some parts of the world.
“Causing unnecessary and unwarranted concern about WhatsApp is likely to make many users give up on the idea of using secure apps altogether,” the detailed letter warned at the time.