Facebook has failed to address a WhatsApp flaw that lets hackers take over conversations


TS Addict
Staff member

Nowadays, Facebook makes it a big point that it owns WhatsApp and is even looking to stamp its name on it to make sure you remember that whenever you're using it. Meanwhile, it left every one of its 1.5 billion users open to an attack that can impersonate them and take over their conversations for malicious purposes.

Researchers at Check Point first opened up about the flaw in August last year, when they discovered at least three ways in which attackers could hijack your group chats and gain the ability to put words in your mouth. There are two distinct ways to do the latter, either by using the “quote” feature in a group conversation to "change the identity of the sender, even if that person is not a member of the group," or by simply altering the text of someone else's reply.

In the first case, someone could change the identity of the sender even if that person isn't a member of the group. A different type of attack that takes advantage of the flaw is tricking users into sending what they believe to be private messages to someone inside a group. Then, once the person replies, the message becomes public and everyone can see the content.

Check Point disclosed the flaws at the Black Hat 2019 security conference in Las Vegas, but it's worth noting that Facebook was notified sometime around the end of 2018, and has only managed to fix one of the three vulnerabilities - the one where you can be fooled into mixing public and private messages.

The researchers have exploited the web version of WhatsApp that needs to be paired to your phone by scanning a QR code, and managed to steal the "secret parameter" that is sent as a handshake. Then they captured the web traffic and essentially decoded all that information on the fly. Ironically, Facebook can't easily intervene in this kind of attack because of the "end-to-end encryption" feature of WhatsApp, which makes it tricky for the company or law enforcement agencies to check the authenticity of the messages.

The good news is that the real life risks will be relatively low for most people, but the bigger your groups, the greater the risk. Also, Apple is preparing a set of changes in iOS 13 that will limit what Facebook's messaging apps can do while running in the background.

Interestingly enough, Facebook believes fixing the remaining flaws is impractical because it would require WhatsApp to log all messages and thus compromise on privacy. The company told TNW that "it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private — such as storing information about the origin of messages."

The problem, however, is that Facebook isn't just ignoring a couple of vulnerabilities inside one of its apps, which are set to run on top of the same infrastructure. Recently there have been reports that a WhatsApp spyware tool could also be used as a universal key into our digital lives and compromise Microsoft, Apple and Google accounts, among other things.

Permalink to story.



TS Rookie
I highly recommend the 'Telegram' messaging app for anyone looking for an alternative to WhatsApp. Security, calling, file sharing, and group chats are all in a class above. You've got to try it to understand how far behind WhatsApp is now.

Facebook seems to have this mentality that people can't leave WhatsApp the same way they thought people couldn't leave Facebook years ago. They'll be proven wrong again if they don't keep up with their competition.
  • Like
Reactions: rrwards


TS Guru
Except that any evidence collected using such a method is inadmissible in court so it would be pointless for law enforcement to try.
True, but they wouldn't need to. Tipped off, means they can then employ legal means of acquiring evidence.


TS Guru
That would then be called entrapment. Law enforcement must at all times be able to prove that the chain of evidence was obtained lawfully. If at any point during the investigation officers break the law, or even skirt it, in collection of evidence and information, the whole case becomes invalid as the court/jury would not be able to trust the integrity of the investigators. It would be a dismissal with prejudice.
It isn't that hard to create a clean chain of evidence. Traffic stops are primary examples where a legitimate chain of evidence can be begin. With prior knowledge, it's easy to set that up. But you're right on one aspect. The wall that is suppose to exist between intelligence surveillance, if that's what we're classifying this information, and law enforcement. Of course, believing that this wall isn't porous would be a massive stretch. I'm under the impression that this intelligence is more law enforcement related than NSA intelligence, and thus again, usable even if it isn't admissible in court.