Indian WhatsApp users must beware what they share: Check Point

New Delhi: Following a global disclosure by Israeli cyber security firm Check Point highlighting vulnerabilities in messaging giant WhatsApp’s platform that can allow threat actors to intercept and manipulate messages sent in both private and group conversations, the authors of the firm’s research paper told ET in an interview that given the mass usage of the application in India, it is recommended that end users be cognizant of the nature of information they share on WhatsApp.
“According to sources, WhatsApp, the Facebook-owned messaging application has over 1.5 billion users in over 180 countries,” authors of Check Point’s research paper Dikla Barda, Roman Zaikin and Oded Vanunu told ET.

“The average user checks WhatsApp more than 23 times per day. In India WhatsApp has officially registered 400 million users. Given the mass usage of the app, and the vulnerabilities identified with a potential of intercepting and manipulating messages thereby spreading misinformation, it is recommended that the end users be cognizant of the nature of information they share on WhatsApp, especially when it comes to highly confidential and personal information,” they added.

The firm disclosed WhatsApp vulnerabilities at Black Hat, a cyber-security conference in Las Vegas on August 7.

The authors said the vulnerabilities give attackers the power to create and spread misinformation from what appear to be trusted sources and that the firm notified WhatsApp about them towards the end of 2018. The team observed three possible ways of attackers exploiting the vulnerability all of which involve social engineering tactics to fool end-users.

A threat actor may use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group, alter the text of someone else’s reply, essentially putting words in their mouth or send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation.

“WhatsApp fixed the third vulnerability which enabled threat actors to send a private message to another group participant disguised as a public message for all. But, we found that it is still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources. We believe these vulnerabilities to be of the utmost importance and require attention,” the authors said.