The new tool builds upon a vulnerability in Facebook’s WhatsApp, Bloomberg reports. It has been reported on by researchers from cybersecurity firm Checkpoint, who show how text within quoted messages can be changed. The risk is, Oded Vanunu from Checkpoint, tells the BBC that malicious actors can manipulate conversations on the platform. The software additionally allows an attacker to change the names of people sending content in group chats. This makes it possible to attribute a comment to a different source.
Vanunu states: “It’s a vulnerability that allows a malicious user to create fake news and create fraud. You can completely change what someone says…You can completely manipulate every character in the quote.”
Checkpoint first raised the issue at the Black Hat cyber-security conference in Las Vegas to Facebook in 2018. Surprised that Facebook seem to have done nothing about the WhatsApp vulnerability, the Israel-based company have re-issued their concern. The concerns could be significant given that WhatsApp has some 1.5 billion users, and the ostensibly free service is used for personal conversations, business communications and political messaging.
In an open letter to Facebook, Checkpoint Research write: “‘Towards the end of 2018, Check Point Research notified WhatsApp about new vulnerabilities in the popular messaging application that would enable threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers the power to create and spread misinformation from what appear to be trusted sources. We believe these vulnerabilities to be of the utmost importance and require attention.”
Facebook, however, are disputing the issue, according to The Daily Telegraph. A Facebook spokesperson writes: “A Facebook spokesman said: “We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp.”