Cybersecurity experts who found a way to hack WhatsApp and manipulate chat messages said on Wednesday that Facebook has failed to address the flaws, a year after the social media network was alerted.
Researchers at security software company Check Point said in August last year that they had discovered ways in which a malicious actor could alter messages in WhatsApp, “essentially putting words in [someone’s] mouth”, and also change the identity of the sender of content in a group chat.
But WhatsApp, which was bought by Facebook in 2014, has failed to resolve the issue, which remains today, Check Point said.
Speaking at the Black Hat cyber security conference, Oded Vanunu, head of product vulnerability research at the security company, said Facebook blamed WhatsApp’s flaws on “limitations that can’t be solved due to their structure and architecture”.
Facebook declined to comment.
Check Point said it had now launched a tool that would allow users to carry out the manipulations, in order to raise greater awareness of the issue.
“We think this is our obligation to escalate this,” Mr Vanunu said, pointing to WhatsApp’s estimated user base of 1.5bn and the risk that the techniques were used to “spread misinformation from what [would] appear to be trusted sources”.
Facebook has begun introducing some restrictions to WhatsApp following mounting concerns over the ease at which the messaging app can be used to spread misinformation and fake news.
In July 2018, WhatsApp started to notify users when messages had been forwarded by a sender, rather than just composed by them, after a spate of lynchings in India — including 17 fatalities — were alleged to have been sparked by false and inflammatory WhatsApp rumours.
Earlier this year, the company also limited to five the number of recipients a user could forward a message to, down from 20.
The revelations raise little-discussed questions over the trade-offs involved in WhatsApp’s use of encryption technology. While end-to-end encryption in WhatsApp is designed to guarantee user privacy, shielding the content of their messages from third parties, it also means the company cannot monitor and verify conversations.
Check Point last year uncovered three ways in which WhatsApp’s messaging system could be manipulated, one of which Facebook resolved.
However two remain. In one scenario, an attacker could change the identity of a sender in a group chat, impersonating another member of that group or even creating a non-existent group member, by using the “quote function” whereby a user reposts a message when responding to it.
In another, an attacker could reply to a message using the quote function and make it appear as if that message had originally been something different.
A malicious actor would not have to crack Facebook’s end-to-end encryption in order to do this, Mr Vanunu said, adding that the process was “not so complex to perform”.