Hackers could spoof WhatsApp messages, sender names
Hackers could spoof WhatsApp messages, sender names

At a time when concern over misinformation abounds, Check Point Software Technologies researchers discovered that miscreants can use a hacked version of WhatsApp to alter information in already-sent messages.

Changes can be made to content or sender identity, the researchers discovered.  

"We believe these vulnerabilities to be of the utmost importance and require attention," Check Point researchers Dikla Barda, Roman Zaikin and Oded Vanunu said in their findings. The attackers have “immense power to create and spread misinformation from what appear to be trusted sources,” they added noting the vulnerabilities were “of the utmost importance” and required attention.

“The issue of WhatsApp chats being spoofed highlights a huge problem for the future: we have to be able to trust that our smartphones and the clouds that run them -- machines that work around the clock for us -- are secure and the Internet is trusted and private,” said Kevin Bocek, chief cybersecurity strategist at Venafi. “It's so easy to imagine how being able to imitate our friends and family members like this could cause havoc and enable bad guys to trick us into doing all sorts of things, and undermine not just chats but everything from the way we bank to the way we shop.”

Calling the problem “a serious flaw,” Bocek said it was made possible by the very things -- encryption and digital certificates -- that ensure privacy and provide authentication between devices, apps, and clouds. 

“Without them we would never be able to communicate securely,” he said. “Unfortunately, this vulnerability shows exactly how they can be abused and how machine identities are the least understood part of cybersecurity.”

Consumers can't do anything to guard against this vulnerability. “It's up to companies to make sure they're protecting all machine identities and how they are used in order to prevent these vulnerabilities and exploits from happening,” Bocek said. “Otherwise how can we know for sure who we're really talking to, banking with or buying from?”