The tool was demonstrated at Black Hat, a cyber-security conference in Las Vegas, as a follow up to a research paper published by Checkpoint last year. The vulnerability could be used by “malicious actors” to manipulate conversations on the platform, create fake news and fraud, researcher Oded Vanunu told the BBC.
“You can completely change what someone says,” Vanunu said. "You can completely manipulate every character in the quote.”
The tool also allows an attacker to change how the sender of the message is identified, making it possible to attribute a comment to a different author. Another flaw could trick users into believing they were sending a private message to one person, when in fact their reply went to a more public group, yet that one was successfully fixed by Facebook.
According to Vanunu, Facebook told the researchers that other issues could not be resolved due to “infrastructure limitations” on WhatsApp, as the encryption technology used in the messenger made it extremely difficult for the company to monitor and verify the authenticity of messages being sent by users.
Vanunu said that the researchers decided to publicly reveal the flaw hoping it would provoke discussion, even though it could make it easier for others to exploit the vulnerability.
“[WhatsApp] serves 30% of the global population. It's our responsibility. There is a big problem with fake news and manipulation. It's the infrastructure that serves more than 1.5 billion users. We cannot put it aside and say: 'Okay, this is not happening,’" he said.
Facebook issued a statement to the BBC, denying that there is a security vulnerability, adding that they have been aware of the issue for a year now.
“The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn't write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private - such as storing information about the origin of messages,” the statement reads.
The possibility of spreading misinformation on WhatsApp has been a major cause of concern, particularly in countries such as India and Brazil, where misinformation has lead to instances of violence, and in some cases, death. WhatsApp made changes to its platform in an effort to reduce the spread of misinformation, including limiting the number of times a message could be forwarded.
