Why it matters: According to industry watchers, WhatsApp is home to over 1.5 billion users in 180 countries who depend on it for daily messaging, with some people checking the app more than 23 times a day. That leaves a great attack surface for hackers who could be looking to hijack conversations and turn them into the perfect platforms for online scams, propaganda and fake news.
Nowadays, Facebook makes it a big point that it owns WhatsApp and is even looking to stamp its name on it to make sure you remember that whenever you're using it. Meanwhile, it left every one of its 1.5 billion users open to an attack that can impersonate them and take over their conversations for malicious purposes.
Researchers at Check Point first opened up about the flaw in August last year, when they discovered at least three ways in which attackers could hijack your group chats and gain the ability to put words in your mouth. There are two distinct ways to do the latter, either by using the “quote” feature in a group conversation to "change the identity of the sender, even if that person is not a member of the group," or by simply altering the text of someone else's reply.
In the first case, someone could change the identity of the sender even if that person isn't a member of the group. A different type of attack that takes advantage of the flaw is tricking users into sending what they believe to be private messages to someone inside a group. Then, once the person replies, the message becomes public and everyone can see the content.
Check Point disclosed the flaws at the Black Hat 2019 security conference in Las Vegas, but it's worth noting that Facebook was notified sometime around the end of 2018, and has only managed to fix one of the three vulnerabilities - the one where you can be fooled into mixing public and private messages.
The researchers have exploited the web version of WhatsApp that needs to be paired to your phone by scanning a QR code, and managed to steal the "secret parameter" that is sent as a handshake. Then they captured the web traffic and essentially decoded all that information on the fly. Ironically, Facebook can't easily intervene in this kind of attack because of the "end-to-end encryption" feature of WhatsApp, which makes it tricky for the company or law enforcement agencies to check the authenticity of the messages.
The good news is that the real life risks will be relatively low for most people, but the bigger your groups, the greater the risk. Also, Apple is preparing a set of changes in iOS 13 that will limit what Facebook's messaging apps can do while running in the background.
Interestingly enough, Facebook believes fixing the remaining flaws is impractical because it would require WhatsApp to log all messages and thus compromise on privacy. The company told TNW that "it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private — such as storing information about the origin of messages."
The problem, however, is that Facebook isn't just ignoring a couple of vulnerabilities inside one of its apps, which are set to run on top of the same infrastructure. Recently there have been reports that a WhatsApp spyware tool could also be used as a universal key into our digital lives and compromise Microsoft, Apple and Google accounts, among other things.