SECURITY BOFFINS from Check Point have uncovered flaws in WhatsApp that could let hackers intercept and manipulate messages.
WhatsApp is known for its use of end-to-end encryption that makes snooping on messages pretty much impossible. But Check Point's researchers decided to have a go at reverse engineering the algorithm WhatsApp uses it to decrypt data.
The researchers found that WhatsApp is using the "protobuf2 protocol" to decrypt messages being fired through the app. By converting that to Json, the researchers were able to see "the actual parameters that are sent and manipulate them in order to check WhatsApp's security".
"The outcome of our research is a Burp Suite [a Java-based tool for web penetration testing] extension and three manipulation methods. To start the manipulation, though, we first have to get the private and public key of our session and fill it in our burp suite extension," the researchers said, spouting some technical talk.
The end result was the researchers had effectively found ways to hack and exploit WhatsApp.
"By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues," the researchers explained.
As such, Check Point was able to then carry out three attacks against WhatsApp users, including changing the identity of a sender in a group chat even if they aren't a member of said chat, changing a correspondent's reply to effectively fake their response, and sending private messages to a person in a chat group but ensuring that when they respond the whole group sees the reply.
Basically, the attacks could enable malicious actors to sneak into group chats and manipulate conversations and cause communications havoc, and spread misinformation.
Check Point has alerted WhatsApp to the problem but apparently hasn't received a response at the time of writing.
You might ask who'd want to mess with your group chats given if they are anything like ours, are full of dull moaning, nonsense, and GIFs. But who knows what the hackers get their kicks from these days. µ
And you thought Blighty's age verification plans were bad
It likes to move it, move it
But how much does it cost?
It's definitely not an accident, but nobody really knows why