AMU Cyber & AI Editor's Pick

WhatsApp Hack Attack Can Change Your Messages

Pinterest LinkedIn Tumblr

During a briefing at the annual Black Hat security conference in Las Vegas on August 7, researchers from Israeli security company Check Point revealed how Facebook-owned WhatsApp could be hacked to change the text of a message and the identity of the sender. If that sounds worrying enough, these vulnerabilities were revealed to WhatsApp last year but remain exploitable today.

Get started on your cybersecurity degree at American Military University.

The WhatsApp hack explained

In a presentation entitled “Reverse Engineering WhatsApp Encryption for Chat Manipulation and More,” Roman Zaikin, a security researcher, and Oded Vanunu, head of products vulnerability research, both at Check Point, explained the process in detail.

The story, however, begins in 2018 when Vanunu, Zaikin and another researcher called Dikla Barda, managed to reverse engineer WhatsApp web source code and successfully decrypt the WhatsApp traffic. While creating an extension to Burp Suite, a web application testing tool, using the web functions they had found, to help with finding vulnerabilities in WhatsApp, the researchers perhaps unsurprisingly found some vulnerabilities.

What WhatsApp vulnerabilities did Check Point discover?

There were three possible attack modes determined by the Check Point team, all exploiting social-engineering tricks to fool end-users and all giving an attacker the weapons required to intercept and manipulate WhatsApp messages.

“Towards the end of 2018, Check Point Research notified WhatsApp about new vulnerabilities in the popular messaging application,” the researchers explained, “giving attackers the power to create and spread misinformation from what appear to be trusted sources.”

The three attack methodologies being:

  1. The ability to send a private message to another group participant, disguised as a public message, resulting in the “private” response from the targeted individual being visible to everyone in the conversation.
  2. The use of the “quote” function of a group conversation to change the identity of the message sender. A person who may not even be a member of the group in question.
  3. A method to enable the text of someone else’s reply to be altered to say whatever the attacker wants. The ultimate modern-day example of “putting words in someone’s mouth.”

The WhatsApp response

As of August 7, WhatsApp has only fixed the first on that list. There is obvious potential here for online scams, rumors and fake news given the nature of the two that remain. Check Point went as far as to state that “threat actors have an additional weapon in their arsenal to leverage the messaging platform for their malicious intentions.”

This despite Check Point informing WhatsApp of its findings in the name of responsible disclosure, and emphasizing these vulnerabilities were “of the utmost importance and require attention.” Check Point even created a tool to exploit the vulnerabilities, decrypting WhatsApp communications and spoofing the messages, by way of a proof of concept to demonstrate the severity of the situation.

It would appear that Facebook-owned WhatsApp did not agree

WhatsApp would seem to have opted to leave more than 1.5 billion users in more than 180 countries exposed to potential attack from actors using these methodologies.

Oded Vanunu, head of products vulnerability research at Check Point, and one of the team which discovered the WhatsApp vulnerabilities explains the reasoning for the presentation at Black Hat. “Instant messaging is a vital technology that serves us day-to-day, we manage our private and professional life on this platform and it’s our role in the infosec industry to alert on scenarios that might question the integrity,” Vanunu says. “WhatsApp was very responsive,” he continues, “but took few actions though, including fixing one of the manipulation scenarios. So, we decided to share the technical information and the scenarios during Black Hat USA 19 to drive awareness.”

A video from the Check Point briefing at Black Hat, showing the vulnerabilities in WhatsApp exploited, can be viewed here:


What has Facebook said?

“We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp,” a Facebook spokesperson says, “the scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private, such as storing information about the origin of messages.”

The privacy implications of the WhatsApp hack attack methodology

While I appreciate that privacy is a primary consideration for users of WhatsApp, I’m not convinced that those users will consider the risk of their messages being intercepted and altered a privacy plus point.

Facebook is in a difficult situation with WhatsApp here, but nobody ever said that operating a secure and private messaging service would be easy. The privacy paradox is highlighted in a previous report on Forbes regarding how a merger between WhatsApp and Facebook Messenger might play out.

The independent cybersecurity expert opinion

“This is a very serious issue that still hasn’t been addressed,” says Stuart Peck, director of cybersecurity strategy at ZeroDayLab, “the integrity of messages received from trusted sources is vital if users are going to trust encrypted messaging services like WhatsApp.”

Peck says that he’s really surprised that Facebook hasn’t addressed these vulnerabilities given the history of having its users trust abused via the Cambridge Analytica scandal. “This plays into the hands of attackers,” Peck continues, “the ability to use the ‘quote’ feature in a group conversation to change the identity of the sender is most concerning to me.”

Which is understandable, as this could potentially be used to deliver what Peck describes as “quite devastating pretexts used to manipulate or abuse the trust of people.” If an attacker wanted to gain access to work systems for a target, gathering mobile numbers through Open Source Intelligence, it would be possible to insert themselves into a chat and manipulate both sides of the conversation over time to disclose sensitive information.

What should the worried WhatsApp user do now?

Such “spoofing” in WhatsApp is significantly more dangerous than the email equivalent, according to Peck, because the underlying integrity checking mechanism in this attack is bypassed, with no current way of notifying the recipient it is fraudulent. “Facebook must address this or risk exposing their users to even more attacks,” he warns, adding that “if Facebook doesn’t address this vulnerability then users should consider swapping to another encrypted messaging service such as Signal.”

Updated August 8, 2019: This post was updated with a statement from Facebook


This article was written by Davey Winder from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to

Get started on your cybersecurity degree at American Military University.

Wes O’Donnell is an Army and Air Force veteran and writer covering military and tech topics. As a sought-after professional speaker, Wes has presented at U.S. Air Force Academy, Fortune 500 companies, and TEDx, covering trending topics from data visualization to leadership and veterans’ advocacy. As a filmmaker, he directed the award-winning short film, “Memorial Day.”

Comments are closed.