Security researchers demonstrate spoofing vulnerabilities in WhatsApp

Check Point researchers have found vulnerabilities in WhatsApp that can be exploited to spoof messages in group and private chats. The researchers describe three attack scenarios to post false messages.

According to the researchers, the vulnerabilities can be used to adjust the identity of a person who quotes in a group chat. In addition, the text of a conversation can be changed, so that it seems as if the person is posting messages in a private window that they have not sent at all. Finally, in a group chat you can send a private message to a person with that person’s answer visible to everyone in the group.

According to Check Point, these are important vulnerabilities that WhatsApp must close. The company has informed the Facebook subsidiary of the findings. According to Check Point, the vulnerabilities are used to spread false information that appears to come from authentic sources.

However, abuse is not easy. To do this, attackers must intercept the private and public keys of chat sessions and use an extension of the web application security tool Burp Suite. The keys can be intercepted via WhatsApp Web before the service generates a QR code. The data that the smartphone sends to WhatsApp Web must then be intercepted when the QR code is scanned. Finally, that data must be entered into the ‘WhatsApp Decoder’ extension for Burp Suite developed by Check Point. The impact of the vulnerabilities is low due to the steps to be taken and the dependence on the capture of WhatsApp Web traffic.