With over 1 billion users and over 60 billion messages sent every day, Facebook owned WhatsApp has had a problem with the spread of fake news and rumors. Due to this they have had to put restrictions on the amount of times a particular message could be forwarded.

It now has gotten worse, as researchers from CheckPoint have figured out a way to manipulate conversations in order to modify existing replies that were received, quoting a message so it appears that it came from another user who may not be part of the group, and sending private messages that can be seen by only one person in a group, but having their replies go to everyone in it.

Illustration of attacks

"Given WhatsApp’s prevalence among consumers, businesses, and government agencies, it’s no surprise that hackers see the application as a five-star opportunity for potential scams," Oded Vanunu, Check Point’s Head of Product Vulnerability Research stated about these findings. " As one of the main communication channels available today, WhatsApp is used for sensitive conversations ranging from confidential corporate and government information, to criminal intelligence that could be used in a court of law."

Using these techniques, attackers can manipulate conversations and group messages in order to change evidence and spread fake news and misinformation.

How the attacks work

As WhatsApp encrypts messages sent through the app, in order to determine how WhatsApp sends a message, they first had to decrypt the network request. While messages between users are secure, a local client still needs to decrypt the message. This allowed CheckPoint to reverse the encryption and then locally decrypt the network requests to determine how communication is done.

Now that they could see what variables were being used when a message is sent, they could start to manipulate the variables in order to see what could be changed or done. This allowed them to discover that they could modify messages or change the way they appeard in order to confuse recipients.

"Then you can start play with the parameters and try to attack the system as a normal web application without any encryption in the way." CheckPoint researcher Roman Zaikin told Bleeping Computer.

For a demonstration of this attack, you can watch the video below that was created by the CheckPoint researchers.

Zaikin also told us that this vulnerability can only be carried out by users in a conversation and cannot be carried out by someone sniffing the network due to the encrypted communication.