A group of researchers at security firm Check Point has highlighted vulnerabilities in popular messaging app WhatsApp. In the sample, the boss's message was altered to increase the supposed raise from $500 to $1,500.
According to the team, the bugs "could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers vast power to create and spread misinformation from what appear to be trusted sources". Interestingly all the three methods include some degree of social engineering to fool the users.
On Facebook's end, the other two vulnerabilities could not be resolved due to "infrastructure limitations" on WhatsApp. WhatsApp's spokesperson said that if these issues were addressed, it could make WhatsApp less private like it might require to store other information like location. The second lets a bad actor manipulate the text of someone else's reply.
The Facebook-owned company, however, is said to have fixed a third vulnerability, which allowed private messages to be sent to a group participant disguised as a public message.
Researchers demonstrated that hackers can access encrypted traffic to impersonate another group member and then send it an extension to decrypt the content. Hackers can then reply to a spoofed message in a group, even though an original message to the reply never existed.
Dramatic Rescues as Typhoon Lekima Hits China
The super typhoon brought torrential rain and heavy winds that knocked out power and downed thousands of trees. Mainland China's main financial hub had braced for Lekima after the typhoon ravaged Taiwan and affected Japan.
Oded Vanunu, Check Point's head of products vulnerability research, feels the flaws could have serious consequences.
It is unclear exactly if and when an updated version of WhatsApp containing the content moderation system might be deployed to user's devices.
Researchers revealed a new tool that has exposed a flaw in WhatsApp in which users can manipulate messages and "put words in people's mouths". Yet users should be careful when contributing to group chats. Governments also use WhatsApp for government to citizen communication.
Facebook was already aware of the bugs, but the company failed to act on them past year because "limitations that can't be solved due to their structure and architecture".
"During the process we unveiled new vulnerabilities that could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers huge power to create and spread misinformation from what appear to be trusted sources", the researchers added.