Israeli security company Check Point Research showed that WhatsApp messages and the identity of the sender can be changed if the account is hacked. This was revealed by the researchers during the annual Black Hat security conference held in Las Vegas on August 7. According to the report, a threat actor may potentially:

  • Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
  • Alter the text of someone else’s reply, essentially putting words in their mouth.
  • Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation.

Its worth noting that Check Point had notified WhatsApp about the risks towards the end of 2018 that the risks would allow threat actors to intercept and manipulate messages sent in both private and group conversations, allowing them to create and spread misinformation from channels which appear to be trusted sources. According to the security company, WhatsApp has fixed the third risk but it is still possible to manipulate quoted messages and spread misinformation.

In response to MediaNama’s query, a spokerperson of WhatsApp’s parent Facebook said, “We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages”.

Check Point created a tool which allowed the researchers to decrypt WhatsApp communication and manipulate the messages. According to the researchers, by converting WhatsApp’s  “protobuf2 protocol” algorithm for encryption to “Json”, they could see the actual parameters being sent and manipulate them. “By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This enabled us to then manipulate them and start looking for security issues,” the report noted.

WhatsApp’s encryption debate

This revelation comes at a time when WhatsApp is locking horns with the Indian government over its encryption feature which does not allow the company to read the messages sent through the platform. In order to curb the spread of misinformation, the central government has asked WhatsApp to trace the creator of a fake message. However, WhatsApp declined to concede to the demand because it would require them to compromise with the encryption feature.

However, Dr V. Kamakoti, a computer science professor at IIT Madras in his submission to the Madras High Court mentioned that tracing the originator is possible without breaking encryption. In an interview with MediaNama, Kamakoti had said, “WhatsApp remains the same. Their end-to-end encryption remains the same. There’s nothing that we want to change. There’s nothing that warrants the change.” According to Kamakoti, this can be achieved via: i) consent-based forwarding and ii) Tagging information of the originator along with the message.

  • Consent based forwarding:  According to Kamakoti, a new feature can be added to mark messages as ‘forwardable’ or ‘not forwardable.’ “When you are originating a message, you can also be given the option [of making a message forwardable or not forwardable] when I am sending a message to you. I can set that bit and send it to you. That means you cannot forward it to anyone. Now you cut and paste and send it, that still you can do. When you cut and paste, then you become the originator, then you take the responsibility.”
  • Tagging originator’s information to the message: “The recommendation is that when a message is generated, originated, you take the message, okay, and at that point, your whole number gets tagged with the message and it travels around with the message. As long as nobody, as long as somebody keeps forwarding the same, the originator information also goes along with it. So anybody who receives the message, sees the originator.”  While speaking about the privacy of the sender, he said that the information about the originator can be encrypted which can be later broken by law enforcement agencies when a message is reported. “If there are privacy and other issues, then it can do an encryption and send that, you know, as a part of the message, wherever in this message. You can encrypt it. Whenever somebody goes to the LEA [law enforcement agency] and says that this message is very disturbing, or derogatory, or whatever, then the LEA can basically talk to WhatsApp and get it [the originator’s information, not the message] decrypted,” he explained.