WhatsApp is never far from the headlines. The latest two stories in India and the US will do little to improve its reputation. In India, the Department of Telecommunications is seeking ways to block Facebook, WhatsApp and other social media apps during emergencies.
It has asked telecoms providers to suggest what could be done.
The Indian Government has invoked concerns over national security. It is also responding to a growing problem where false rumours have led to mobs lynching innocent victims. The proposal has come under fire from the telecom industry and across social media. WhatsApp has responded by unveiling new measures to curb misinformation and fake news. However, given the inability of its parent, Facebook, to deal with the same issues, the Government of India does not appear to be taking it seriously.
To compound the problem, two security researchers at Check Point Research have discovered new vulnerabilities in WhatsApp. Dikla Barda and Roman Zaikin have made public three new vulnerabilities. They claim: “Could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers immense power to create and spread misinformation from what appear to be trusted sources.”
What are the WhatsApp vulnerabilities?
The report issued by the two authors provides a solid technical analysis and attack scenarios. All three vulnerabilities have been reported to WhatsApp although the company declined to respond to us when asked if or when patches would be available.
What will worry WhatsApp users and people like the Government of India, is that the two researchers were able to decrypt the WhatsApp communication. This gave them access to the necessary parameters to launch a number of attacks.
The vulnerabilities rely on social engineering attacks which is rather apt. They will allow a threat actor to:
- Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Alter the text of someone else’s reply, essentially putting words in their mouth.
- Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.
All three attacks make it possible for someone to create a fake news storm that WhatsApp users would believe is real. This is because WhatsApp, like a number of other apps, claims its encryption algorithm prevents all this from happening. With US mid-term elections coming up, it is entirely reasonable to assume that these attacks could be exploited to create fake news to sway voters.
It is not just the US that will be worried. The use of WhatsApp to spread messages that have resulted in mobs lynching innocent victims is a problem. With rising racial tensions in some parts of the country, threat actors could quickly inflame local tensions.
What does this mean
Ever since Facebook acquired WhatsApp in 2014 for a whopping US$19 billion, the deal has had problems. It suffered outages that cost it a lot of users while others decided they didn’t trust Facebook and left the platform. The company also fell foul of the European Commission when it started sharing data between Facebook and WhatsApp. This was despite claims this would be technically impossible when the deal was approved.
WhatsApp has also had to deal with governments around the world over the way messages are encrypted. The security it offers has been used by terror groups and criminal gangs to conceal messages from the authorities. It is not alone in this issue, as other secure messaging apps have also been used for the same purpose. The company has said that there is no way to intercept messages and previous attempts to discredit its encryption have been shown to be limited.
With the concerns over fake news, these latest vulnerabilities are much more serious. At present, WhatsApp is not responding to emails about the risk they pose. Nor is it saying whether these issues are now solved. With the scrutiny in India and the US, it needs to get ahead of this.