Security researchers have discovered multiple flaws in WhatsApp that could leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations.
This also allowed him to gain read permissions from the local file system on both Mac and Windows desktop apps. The company said that unsuspecting users could be subject to harmful code or links injected into their seemingly innocuous exchanges.
Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue in its natural message-sending flow. The code bypassed filters and sent the modified message through the app as usual, appearing relatively normal in the user interface.
The researcher also found that website previews, displayed when users share web links, can also be tampered with before being shown.
“As businesses increasingly rely on social messaging apps such as WhatsApp for customer engagement, they must remain vigilant about these risks. As we learned from this research, malicious third parties can modify content and redirect users, putting the brand experience and user data at risk,” said Safruti.
Corin Imai, senior security advisor at DomainTools, told SC Media UK that the fact that this vulnerability exists in such a prominent messaging platform is definitely a cause for concern.
WhatsApp has an estimated 1.5 billion monthly users, and in developing democracies such as India where WhatsApp counts 200 million user base, it has become a substitute of town-square talk.
“Users in India would have their ‘family’ and ‘friends’ chat groups, but often also use third-party apps to find and join WhatsApp groups aligned with their political views. For a vulnerability to be able to edit the content of messages is both a legitimate cause for concern from a cyber-security perspective, but potentially also from a fake news perspective,” she said.
In the UK some companies use WhatsApp as a backup communications network in the event that their internal server network were to be compromised by being heavily infiltrated by an intruder.
Keith Geraghty, solutions architect at edgescan, told SC Media UK that users should ensure they use the latest safe release of the software. “But while defences on the software side may add a layer of protection, it’s been proven the most effective approach to these types of attacks is educating your users. Organisations need to invest in proper phishing campaigns, educating non-security savvy people to review and look closely at the link they are about to click. This can be as simple as simply hovering over the link and observing where you will be taken or what you are downloading,” he said.