bills itself as a free and secure messaging application with end-to-end encryption
and cross platform support, all of which have made it a popular option. However, it may not be as secure as advertised. Vulnerabilities that were disclosed last year have still not been addressed, and if abused, could allow an attacker to spoof messages.
Researchers at Check Point disclosed the a trio of attack vectors
last year, explaining that they could enable a hacker to change a user's messages, change a sender's identity, and make private messages viewable to the public. One of those has been addressed, but two of the attack vectors still remain, as researchers recently demonstrated at the Black Hat USA 2019 conference in Las Vegas.
"WhatsApp end-to-end encryption ensures that only you and the person you’re communicating with can read what’s sent, and nobody in between, not even WhatsApp. However, we managed to reverse-engineer WhatsApp web source code and successfully decrypted WhatsApp traffic," Check Point researchers Roman Zaikin and Oded Vanunu said.
The researchers manipulated the encryption scheme that WhatsApp uses, converting the "protobuf2" protocol to Json. This allowed them to see what was going on underneath the hood, and opened the door to messaging shenanigans. One of the things this makes possible is altering the text of a user's reply, "essentially putting worlds in their mouth."
"During the process we unveiled new vulnerabilities that could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers immense power to create and spread misinformation from what appear to be trusted sources," the researchers added.
WhatsApp got scooped up by Facebook
in 2014 for $19 billion. The messaging platform boasts over 1 billion users in over 180 countries, which makes these kinds of vulnerabilities all the more worrisome. Hopefully the attention this is receiving will prompt Facebook to finally fix the remaining security flaws.