WhatsApp Flaw Lets Users Modify Group Chats to Spread Fake News

WhatsApp is a freeware and cross-platform messaging and Voice over IP (VoIP) service owned by Facebook. The application allows the sending of text messages and voice calls, as well as video calls, images and other media, documents, and user location.

WhatsApp has already come under fire recently, accused of being a method for troublemakers to spread hoaxes and fake news. Now, it may have a bigger concern on its hands, as it seems a flaw lets hackers manipulate messages in group chats.

Discovered by security researchers at Israeli security firm Check Point, the flaws take advantage of a loophole in WhatsApp’s security protocols to change the content of the messages, allowing malicious users to create and spread misinformation or fake news from “what appear to be trusted sources.”

The flaws reside in the way WhatsApp mobile application connects with the WhatsApp Web and decrypts end-to-end encrypted messages using the protobuf2 protocol.

Video Demonstration — How to Modify WhatsApp Chats

To exploit these vulnerabilities, the CheckPoint researchers—Dikla Barda, Roman Zaikin, and Oded Vanunu—created a new custom extension for the popular web application security software Burp Suite, allowing them to easily intercept and modify sent and received encrypted messages on their WhatsApp Web.

The tool, which they named “WhatsApp Protocol Decryption Burp Tool,” is available for free on Github, and first requires an attacker to input its private and public keys, which can be obtained easily “obtained from the key generation phase from WhatsApp Web before the QR code is generated,”

Attack 1 — Changing a Correspondent’s Reply To Put Words in Their Mouth

Using the Burp Suite extension, a malicious WhatsApp user can alter the content of someone else’s reply, essentially putting words in their mouth

Attack 2 — Change the Identity of a Sender in a Group Chat, Even If They Are Not a Member

The attack allows a malicious user in a WhatsApp group to exploit the ‘quote’ feature—that lets users reply to a past message within a chat by tagging it.

Attack 3 — Send a Private Message in a Chat Group But When The Recipient Replies, The Whole Group Sees It

The third WhatsApp attack allows a malicious group user to send a specially crafted message that only a specific person will be able to see.

WhatsApp/Facebook Choose to Left Reported Attacks Unpatched

The trio reported the flaws to the WhatsApp security team, but the company argued that since these messages do not break the fundamental functionality of the end-to-end encryption.

Another argument WhatsApp shared with researchers, in context of why the company cannot stop the modification of the message content—”This is a known edge case that relates to the fact that we do not store messages on our servers and do not have a single source of truth for these messages.”

Since WhatsApp has become one of the biggest tools to spread fake news and misinformation, at least in countries with highly volatile political issues, we believe WhatsApp should fix these problems along with putting limits on the forwarded messages.