Security experts at Check Point said a hacker could change messages and the sender’s identity, “essentially putting words in [someone’s] mouth,” the FT reported on Thursday (Aug. 7). Facebook acquired WhatsApp in 2014 and was alerted to the security issue in 2018.
At the Black Hat cybersecurity conference held earlier this month in Las Vegas, Check Point’s head of product vulnerability research Oded Vanunu said Facebook blamed the flaws on “limitations that can’t be solved due to their structure and architecture.” Facebook declined to comment, the FT said.
As a way to alert WhatsApp’s 1.5 billion subscribers, Check Point created a means to let users themselves hack chats.
“We think this is our obligation to escalate this,” Vanunu said at the conference, noting the hacking means wasn’t complicated.
WhatsApp’s encryption was conceived for user privacy, but that also prevents Facebook from authenticating conversations.
Some constraints have been introduced by Facebook over worrisome concerns that WhatsApp could be manipulated to spread misinformation and fake news.
In another security issue uncovered in May, it was discovered that hackers can use WhatsApp’s phone call function to trigger Israeli surveillance spyware on both iPhones and Android smartphones. The malicious code could be transmitted even if users did not answer their phones.
The code was developed by the Israeli company NSO Group, creator of Pegasus, a program that can turn on a phone’s microphone and camera, search through emails and messages, and collect location data. NSO claims the product was designed to fight terrorism and crime and advertises it to Middle Eastern and Western intelligence agencies.
For its part, WhatsApp said that teams of engineers in San Francisco and London worked to close the vulnerability, with the company rolling out a patch for customers May 13.