Multiple loopholes and security vulnerabilities in WhatsApp could have allowed people to alter the text of someone's message and inject malicious code in a user's browser, cybersecurity researcher Gal Weizman revealed in a blog post on February 4. Weizman had reportedly informed Facebook about this last year and the company has since dealt with the issues in the application. The report was first covered by The Hacker News. Key Findings The research by Weizman revealed important loopholes and security flaws, mostly in WhatsApp web, the application's browser version. Some of these include: Altering the text of a message: By manipulating the metadata of the object containing a message, one could basically reply to messages that were never a part of the conversation. For instance, it would allow a user to quote a made-up message (using the reply feature on WhatsApp) that was never written. Tampering with preview banners and links in messages: WhatsApp shows previews of links (with information regarding the link) that are sent as part of messages. A security flaw allowed one to tamper with the banner properties before the message is sent. Basically, by exploiting this vulnerability, it is possible to mislead users about the content of the link by showing the banner of a different link. For instance, hackers could send the link www.hacker.com, but the message would instead show a preview banner of www.facebook.com. Such a misleading preview could prompt the user to click on a malicious link in a message. Moreover, it was also possible to tamper with the…
