WhatsApp text hack: what is it and why hasn’t it been fixed by Facebook?

A cybersecurity firm that discovered vulnerabilties in WhatsApp a year ago has revealed that parent company Facebook still hasn’t rectified the issues.

Israel-based company Check Point Software Technologies claims its researchers found three software flaws that could be used to “alter conversations”, Bloomberg reports.

Yet despite warning Facebook about the vulnerabilities, only one has been fixed. Oded Vanunu, a researcher at Check Point, told the BBC that the security flaws could be used by “malicious actors” to manipulate conversations.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

How do the hacks work?

The flaws were demonstrated by Check Point during a briefing this week at the annual Black Hat security conference in Las Vegas.

According to the Financial Times, the vulnerabilities centre around WhatsApp’s “quote function”, which allows users to respond to another person’s message while quoting them at the same time.

One of the faults could allow an attacker to change the identity of a sender in a group chat; impersonate another member of the group; or create a new “non-existent” member using an exploit associated with the quote function.

Another of the alleged glitches lets users adjust the content of a quoted message, making it “appear as if that message had originally been something different”, the newspaper adds.

The final flaw, which has since been rectified, could be used to trick users into believing they were sending a private message to one person, when in fact their reply went to a more public group, reports Forbes.

Why haven’t they all been fixed?

When Check Point initially warned the social media giant about the glitches, Facebook claimed that it was unable to rectify all three issues due to “infrastructure limitations”, researcher Vanunu told the BBC.

WhatsApp’s encryption systems, which prevent hackers from snooping on conversations, are believed to make it “extremely difficult - perhaps impossible - for the company to monitor and verify the authenticity of messages being sent by users”, the broadcaster says. Other fixes could have an impact on the usability of the app.

This week, Facebook insisted that the research presented by Check Point did not reveal any vulnerabilities within WhatsApp.

“We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp,” a company spokesperson told Bloomberg.

“The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private, such as storing information about the origin of messages.”