wordpress blog stats
Connect with us

Hi, what are you looking for?

Messages and identity on WhatsApp can be manipulated if hacked: Check Point Research

Israeli security company Check Point Research showed that WhatsApp messages and the identity of the sender can be changed if the account is hacked. This was revealed by the researchers during the annual Black Hat security conference held in Las Vegas on August 7. According to the report, a threat actor may potentially:

  • Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
  • Alter the text of someone else’s reply, essentially putting words in their mouth.
  • Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it is visible to everyone in the conversation.

Its worth noting that Check Point had notified WhatsApp about the risks towards the end of 2018 that the risks would allow threat actors to intercept and manipulate messages sent in both private and group conversations, allowing them to create and spread misinformation from channels which appear to be trusted sources. According to the security company, WhatsApp has fixed the third risk but it is still possible to manipulate quoted messages and spread misinformation.

In response to MediaNama’s query, a spokerperson of WhatsApp’s parent Facebook said, “We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private – such as storing information about the origin of messages”.

Check Point created a tool which allowed the researchers to decrypt WhatsApp communication and manipulate the messages. According to the researchers, by converting WhatsApp’s  “protobuf2 protocol” algorithm for encryption to “Json”, they could see the actual parameters being sent and manipulate them. “By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This enabled us to then manipulate them and start looking for security issues,” the report noted.

WhatsApp’s encryption debate

This revelation comes at a time when WhatsApp is locking horns with the Indian government over its encryption feature which does not allow the company to read the messages sent through the platform. In order to curb the spread of misinformation, the central government has asked WhatsApp to trace the creator of a fake message. However, WhatsApp declined to concede to the demand because it would require them to compromise with the encryption feature.

However, Dr V. Kamakoti, a computer science professor at IIT Madras in his submission to the Madras High Court mentioned that tracing the originator is possible without breaking encryption. In an interview with MediaNama, Kamakoti had said, “WhatsApp remains the same. Their end-to-end encryption remains the same. There’s nothing that we want to change. There’s nothing that warrants the change.” According to Kamakoti, this can be achieved via: i) consent-based forwarding and ii) Tagging information of the originator along with the message.

Advertisement. Scroll to continue reading.
  • Consent based forwarding:  According to Kamakoti, a new feature can be added to mark messages as ‘forwardable’ or ‘not forwardable.’ “When you are originating a message, you can also be given the option [of making a message forwardable or not forwardable] when I am sending a message to you. I can set that bit and send it to you. That means you cannot forward it to anyone. Now you cut and paste and send it, that still you can do. When you cut and paste, then you become the originator, then you take the responsibility.”
  • Tagging originator’s information to the message: “The recommendation is that when a message is generated, originated, you take the message, okay, and at that point, your whole number gets tagged with the message and it travels around with the message. As long as nobody, as long as somebody keeps forwarding the same, the originator information also goes along with it. So anybody who receives the message, sees the originator.”  While speaking about the privacy of the sender, he said that the information about the originator can be encrypted which can be later broken by law enforcement agencies when a message is reported. “If there are privacy and other issues, then it can do an encryption and send that, you know, as a part of the message, wherever in this message. You can encrypt it. Whenever somebody goes to the LEA [law enforcement agency] and says that this message is very disturbing, or derogatory, or whatever, then the LEA can basically talk to WhatsApp and get it [the originator’s information, not the message] decrypted,” he explained.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ