Researchers say that one can be allowed to “put words in people’s mouths” with the help of a new tool that the recently released and which exploits a vulnerability in Facebook’s Whatsapp.
How alteration of the text within quoted messages can done with the help of the tool was demonstrated by a team from cybersecurity firm Checkpoint. That makes the message appear as if the sender had said them when in fact that was not the case.
“Malicious actors” would be able to manipulate conversations on the platform with the help of tool, said researcher Oded Vanunu.
There were no comments available from Facebook.
Black Hat, a cyber-security conference in Las Vegas, had demonstrated the tool after a research paper was published to this effect by Checkpoint last year. “It’s a vulnerability that allows a malicious user to create fake news and create fraud,” Vanunu explained.
This tool can be used to tinker with the quoting feature on Whateapp. “You can completely change what someone says,” Vanunu said. “You can completely manipulate every character in the quote.”
The manner in which the sender of the message is identified can also be changed by an attacker using the tool which makes it possible to change credit for a quote from one user to another.
Facebook has however successfully fixed a third issue highlighted by researchers. That vulnerability could have been used by attackers to trick users to believe that a private message is being sent by them, but actually their message was delivered to a more public group.
According to Vanunu, Facebook has told the research group it was not possible to resolve the other issues because of “infrastructure limitations” on WhatsApp.
One of the major challenges for Facebook is to be able to monitor the encryption technology used by WhatsApp. According to experts, monitoring and verifying the authenticity of messages being sent by users is very difficult and nearly impossible because of the level. The researchers were told by Facebook that trade-offs in the usability of the app could result because of other possible measures that could be taken to stop the problems highlighted.
When questioned by the media about why his group had made public a tool that could possibly be used to by attackers to take advantage of the vulnerability in Whatsapp, Vanunu said that he hoped that the move would provoke discussion.
“[WhatsApp] serves 30% of the global population. It’s our responsibility. There is a big problem with fake news and manipulation. It’s infrastructure that serves more than 1.5 billion users.
“We cannot like put it aside and say: ‘Okay, this is not happening.’”
There have been huge concerns about the spread of misinformation on WhatsApp particularly in countries like India and Brazil, where spreading of false statements and information has resulted in violence and even death in some cases.
Some measures have been taken by Whatsapp to try and stop the spreading of misinformation such as by limiting the number of times a message could be forwarded.
“We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp,” it said. “The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. “We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages.”
(Adapted from BBC.com)