Check Point warns of fake WhatsApp messages
Investigators from Israeli company Check Point Software Technologies Ltd. announced that they had discovered dangerous vulnerabilities in the WhatsApp app, enabling an attacker to send fake messages, impersonate someone else, and prevent specific messages from getting through to a person or group in which any message is distributed.
It is possible to impersonate someone using these fake messages and send misleading messages, prevent people from receiving messages and send fake messages to specific people in a group. Misuse of these vulnerabilities leaves a great deal of room for manipulations of users and aggressive and destructive behavior.
The Check Point investigators found three important vulnerabilities: a trained attacker can edit a message that has already been written, impersonate an innocent person, and send a different text and make it seem that the innocent person sent it. Using a similar method, the attacker can change the name of the person who sent the message, thereby making the other participants in the call think that someone else wrote the message. In a third method, the attack can send a private message containing text, a picture, or a video to one of the members of a personal group and make the message appear as if it had been sent to all of the group’s members. If the victim of the attack responds to the message (sometimes with anger), the entire group will see the message, even though they did not see the provocative message that preceded it.
These vulnerabilities make possible innumerable manipulations of innocent WhatsApp users that are liable to include crime, blackmail, or as has already happened, suicide or murder.
Check Point product vulnerability research head Oded Vanunu told Globes that after the company notified WhatsApp of the vulnerabilities, WhatsApp answered that it was unable to fix the problem immediately because it involved the structure of the application and the features that it offers. “Since there were people murdered because of fake messages, we decided this is not something we could keep a secret; we had to tell the public so that people would be aware and think twice before responding to dramatic messages.”
This is how it works: 56 billion messages a day are now sent among 1.5 billion users and in one billion groups via WhatsApp, making the system a huge theater for fraud and misuse of bogus messages.
Check Point does not know whether any hackers have already misused this vulnerability in order to distort correspondence. Cybersecurity researchers Dikla Barda and Roman Zaikin also participated in Check Point’s research group. In the past, the company revealed other vulnerabilities of WhatsApp and Telegram that enabled hackers to take control of the users’ accounts and penetrate all of their information, and to plant malware on their telephones. These malfunctions were repaired immediately.
A WhatsApp spokesperson said, “We carefully examined the matter, which is comparable to fake email. What Check Point discovered is unrelated to the comprehensive security of the system, which ensures that only the sender and receiver can read the message. We are paying serious attention to the challenge of the misleading information and recently added a restriction on the quantity of content that can be sent to other addressees. We added a label to messages sent to additional addressees and made a series of changes in group chats. We can block accounts that try to change messages and send spam, and we are working with the civilian company in a number of countries in order to educate people about fake and fraudulent messages.”
(Globes/TNS)