FakesApp: A Vulnerability in WhatsApp

Check Point Research discovers weaknesses allowing attackers to commandeer communications in world's leading messaging application.

Tags: WhatsApp
Mordechai Sones ,

Part of the research
Part of the research
Check Point

Check Point Research's cyber investigators Dikla Barda and Roman Zaken have revealed significant weaknesses in the popular Whatsapp application that allow attackers to intervene and commandeer communications within the application.

These weaknesses provide a most powerful mode of manipulation within groups, the ability to spread erroneous information, and to divert a conversation according to one's needs - without being detected.

Whatsapp is considered the world's leading messaging application and is used every day by over 1.5 billion users. The application receives about 65 billion messages per day, and contains more than one billion groups that allow multiple users to chat simultaneously.

The three main methods of operation possible due to the weaknesses found are:

  • Re-editing text written in a response message and writing any text the attacker wishes (in fact attributing different words to a person than what he wrote);
  • Change the name of a person responding in a group to any name the attacker chooses (thus allowing impersonation by an attacker, even if not a group member); and
  • Sending a private message (including text, image, and video) to one of the group members in a way that appears to have been sent to all group members, but actually only one member chosen by the attacker sees the message. If that group member responds to the malicious message - all members of the group see it (the attacker actually has the option of choosing which comment each member of the group will see separately).

Check Point Research product weakness division head Oded Vanunu said: "Whatsapp's huge popularity among consumers, businesses, and governments makes it a preferred destination for attackers who see it as a tremendous opportunity to create a ruse. As one of the world's leading communication channels, courts around the world have already recognized correspondence in it as evidence admissible in court, and weaknesses that allow direct correspondence are potentially extremely damaging for dissemination of disinformation (fake news).

"We believe it is of paramount importance to address such weaknesses in an application that's so well identified and affects communication between more than a billion people worldwide, otherwise attackers can take advantage of them and have real impact on unmediated communication occurring in more than a billion conversation groups," Vanunu added.