WhatsApp Vulnerability Lets Hackers Change Message Content
Could someone be manipulating your messages?
Security researchers have found a flaw in WhatsApp that could allow a malicious user to change the content of messages, including the sender’s name.
The Israeli team, Check Point Research, discovered a way to change both group and one-to-one messages within WhatsApp.
This kind of vulnerability is alarming considering that WhatsApp prides itself on its strong security; it was one of the first apps to use 256-bit AES end-to-end encryption.
Nonetheless, the security team figured out a way to change the text in a reply, change the name of the person that sent a message, and trick people into sending public messages that they think will be private.
Given that so many of us regard WhatsApp as one of the most secure messaging apps available, this is a big deal for the company.
Reverse Engineered Encryption
So how did hackers change the content of encrypted messages? They essentially experimented with WhatsApp’s encryption, running it in reverse, decrypting it in a similar way to the app on your phone.
They were then able to extract the various parts of the message and edit them in plain text.
Using a special tool, the hacker could then ‘catch’ a message mid-transmission, alter the contents, and then forward the new message on.
The person on the other end would have no idea that the message has been changed.
If you’re interested in seeing the source code behind this attack, the team has put it on Github here.
The process of changing the content of messages is technical and convoluted; it’s unlikely that someone would try to change a WhatsApp chat to play a practical joke. It’s also important to note that a hacker would need to befriend and trick the WhatsApp user to execute an attack, so you won’t see the content of messages randomly changed unless you’re in a group with someone that’s trying out this tactic on you.
But security flaws like this are potentially serious if the malicious attacker alters messages to spread ‘fake news’, or fabricate messages relating to criminal activity. WhatsApp has already restricted the number of times a message can be forwarded to prevent the spread of misinformation, but a flaw like this could still do some damage.
Check Point Research is an ethical hacking group, and there is no suggestion that the flaw has been misused. It could also only be used if the sender and recipient were already in contact with each other, which means that they’d probably have to be tricked into communicating first.
As ever, this WhatsApp vulnerability reminds us that while encryption improves our security online, no messaging app is completely secure. WhatsApp’s encryption can be bypassed by a simple screenshot, so it’s always best to take great care when discussing things online -- particularly in chat groups.