Check Point Research just made public a new WhatsApp vulnerability called FakesApp. Here’s how this vulnerability works and how you can protect your WhatsApp account.
Table of Contents
FakesApp is a new vulnerability in the security protocols of WhatsApp, which allows a hacker to bypass end-to-end encryption and change the contents of a sent message.
Any hacker can edit a message that has already been sent, without any time limitations.
The problem is that this vulnerability does not limit itself to the messages you have already sent, it grants hackers the power to violate the privacy of any conversation between two users or groups.
Taking into account that 65 million messages are sent every day, this failure of WhatsApp is a potential danger in that anyone can impersonate your account and forge messages.
Since a hacker must take part in the chat in order to be able to execute the hack, groups are particularly susceptible to the hack.
Further, the FakesApp vulnerability could cause havoc if hackers start a “fake news” campaign by modifying private conversations and messages on a mass scale.
Three kinds of FakesApp attacks explained
As soon as someone answers in a group conversation, the hacker changes the text. Words are then “placed in the mouth” of the victim.
By replying to a user using the quote feature, a hacker can change the identity of the person who sent the original message or the content of the message. This makes it seem like the message comes from someone who is not in the group.
With this they can, for example, accuse people of failing to comply with false agreements.
A hacker sends a private message on your behalf to another participant in a group conversation, but it is actually a disguised group message. If the ‘victim’ responds, his/her reaction is visible to everyone in the group.
This kind of attack can lure a person to publicly reveal personal details and sensitive information that is usually exchanged only through private messaging.
What WhatsApp has to say about FakesApp
The security researchers at Check Point Research have informed WhatsApp about the bug. WhatsApp’s security team has not pushed any update so far but has recognized the issue.
A spokesperson remarked that this vulnerability has nothing to do with their end-to-end encryption, but with the design framework of the app.
Generally, WhatsApp accounts caught using such vulnerabilities are banned from the platform.
With that being said, a proper user-facing update that patches FakesApp will be a great addition to the app.
(Source – Checkpoint)