A security firm has discovered a flaw in WhatsApp that allows previously delivered messages to be tweaked to change the content or change the sender’s identity.
The flaw was discovered by Check Point Technologies who reported the hackers can create a hacked copy of the version of the app and alter a quoted message to change the contents or sender. Though the hack can only be carried out in a chat which the perpetrator must be part of, making it a tool to be used in group chats.
NYT reports that “WhatsApp acknowledged that it was possible for someone to manipulate the quote feature, but the company disagreed that it was a flaw. WhatsApp said the system was working as it had intended, because the trade-offs to prevent such a deception by verifying every message on the platform would create an enormous privacy risk or bog down the service.”
Carl Woog, a spokesman for WhatsApp responded to the issue.
“We carefully reviewed this issue and it’s the equivalent of altering an email, What Check Point discovered had nothing to do with the security of WhatsApp’s so-called end-to-end encryption, which ensures only the sender and recipient can read messages”
Oded Vanunu, head of vulnerability research at Check Point, replied that:
the ability to alter messages gave attackers a powerful tool to spread misinformation from what appeared to be a trusted source. It is especially problematic in group chats, which can include up to 256 people. Multiple messages can come in at once and it can be easy to lose track of what someone has said, he said.
WhatsApp replied that it takes “the challenge of misinformation seriously,” and they are trying to ban users of hacked WhatsApp versions downplayed the severity of the flaw.
One solution would be to create transcripts of every message exchange to verify the accuracy of every quote. Creating such a transcript is a significant privacy risk because those accounts of what people wrote to each other must be stored somewhere, the company said.