WhatsApp Flaw Lets Users Modify Group Chats to Spread Fake News

WhatsApp

WhatsApp Flaw Lets Users Modify Group Chats to Spread Fake News

WhatsApp is a freeware and cross-platform messaging and Voice over IP (VoIP) service owned by Facebook. The application allows the sending of text messages and voice calls, as well as video calls, images and other media, documents, and user location.

WhatsApp has already come under fire recently, accused of being a method for troublemakers to spread hoaxes and fake news. Now, it may have a bigger concern on its hands, as it seems a flaw lets hackers manipulate messages in group chats.

Discovered by security researchers at Israeli security firm Check Point, the flaws take advantage of a loophole in WhatsApp’s security protocols to change the content of the messages, allowing malicious users to create and spread misinformation or fake news from “what appear to be trusted sources.”

The flaws reside in the way WhatsApp mobile application connects with the WhatsApp Web and decrypts end-to-end encrypted messages using the protobuf2 protocol.

 

WhatsApp

 

 

Video Demonstration — How to Modify WhatsApp Chats

To exploit these vulnerabilities, the CheckPoint researchers—Dikla Barda, Roman Zaikin, and Oded Vanunu—created a new custom extension for the popular web application security software Burp Suite, allowing them to easily intercept and modify sent and received encrypted messages on their WhatsApp Web.

The tool, which they named “WhatsApp Protocol Decryption Burp Tool,” is available for free on Github, and first requires an attacker to input its private and public keys, which can be obtained easily “obtained from the key generation phase from WhatsApp Web before the QR code is generated,”

 

exploit

 

 

Attack 1 — Changing a Correspondent’s Reply To Put Words in Their Mouth

Using the Burp Suite extension, a malicious WhatsApp user can alter the content of someone else’s reply, essentially putting words in their mouth

 

Attack 2 — Change the Identity of a Sender in a Group Chat, Even If They Are Not a Member

The attack allows a malicious user in a WhatsApp group to exploit the ‘quote’ feature—that lets users reply to a past message within a chat by tagging it.

 

Attack 3 — Send a Private Message in a Chat Group But When The Recipient Replies, The Whole Group Sees It

The third WhatsApp attack allows a malicious group user to send a specially crafted message that only a specific person will be able to see.

 

WhatsApp attack

 

 

WhatsApp/Facebook Choose to Left Reported Attacks Unpatched

The trio reported the flaws to the WhatsApp security team, but the company argued that since these messages do not break the fundamental functionality of the end-to-end encryption.

Another argument WhatsApp shared with researchers, in context of why the company cannot stop the modification of the message content—”This is a known edge case that relates to the fact that we do not store messages on our servers and do not have a single source of truth for these messages.”

Since WhatsApp has become one of the biggest tools to spread fake news and misinformation, at least in countries with highly volatile political issues, we believe WhatsApp should fix these problems along with putting limits on the forwarded messages.

 

encryption

 

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Internet Of Things Training Hyderabad

Internet Of Things Training in Bhubaneswar

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 

 


Show Buttons
Hide Buttons