WhatsApp flaw used to spread scams

Regina Pazvakavambwa
By Regina Pazvakavambwa, ITWeb portals journalist.
Johannesburg, 13 Aug 2018
The implications of message interception can be disastrous for both business and private users.
The implications of message interception can be disastrous for both business and private users.

A newly-discovered WhatsApp vulnerability allows hackers to gain access to and message group chats and private conversations.

This is according to Check Point Software Technologies researchers, who note if the bug is not fixed, it could help hackers create and spread misinformation.

The exploit is made possible by taking advantage of vulnerabilities between WhatsApp for mobile and WhatsApp for the Web, say the researchers.

"The hacker first needs to be a member of a WhatsApp group they want to manipulate. Then, the hacker can use the WhatsApp Web application (the PC version of WhatsApp for phones) to manipulate the group chats. They do this by using the debug tool in their browser."

The bug so far allows for three possible attacks. Firstly, changing a reply from someone or a group and making it seem like it's the person sending them when it's actually a hacker.

Secondly, quoting a message in a reply to a group conversation to make it appear as if it came from a person who is not part of the group. Lastly, hackers can send a message to a member of a group that pretends to be a group message but is in fact only sent to this member. However, the member's response will be sent to the entire group.

"We believe these vulnerabilities to be of utmost importance and require attention. Given WhatsApp's prevalence among consumers, businesses and government agencies, it's no surprise that hackers see the application as a five-star opportunity for potential scams," says Oded Vanunu, Check Point's head of product vulnerability research.

"As one of the main communication channels available today, WhatsApp is used for sensitive conversations, ranging from confidential corporate and government information, to criminal intelligence that could be used in a court of law."

WhatsApp has already been at the centre of a variety of scams. From fake supermarket and airline giveaways, to election tampering, threat actors never tire of ways to manipulate unsuspecting users, says Check Point.

As of early 2018, the Facebook-owned messaging application has over 1.5 billion users, with over a billion groups and 65 billion messages sent every day, says Check Point.

According to a report by global digital agency We Are Social, mobile users accounted for 172 million, most of whom used only two Facebook-owned platforms, WhatsApp and Messenger, it adds.

Check Point says following the process of responsible disclosure, WhatsApp was informed of the findings. In response, it "acknowledged" the flaws, explaining they are part of the platform's design framework.

Graham Croock, director for BDO IT Advisory Services, says the implications of message interception can be disastrous for both business and private users, particularly where personal information such as bank account details are being exchanged and a simple change of a bank account number results in a deviation of a payment.

"We have personal experience in interception of Facebook messages between parents and au pairs, where the address becomes known to potential kidnappers. We also see passwords being intercepted and this leads to additional hacking."

Check Point says at present there are no security products that can protect users from these types of deceptions.

Croock notes users are ignorant and don't understand the impact of the interception of data. Users need to be aware of recent hacks and they must be trained as to what is to be shared and what is not to be shared, he adds.

"If something sounds too good to be true, it usually is. And likewise, if something sounds too ridiculous to be true, it probably is. Misinformation spreads faster than the truth. Although you may be seeing the same news from multiple sources, this does not make it more factual than were it to come from a single source."