A security alert of sorts went out this week for WhatsApp users, which suggested that the platform has a security flaw that allows someone to “Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group”, and to “Alter the text of someone else’s reply, essentially putting words in their mouth”.
Check Point Research pointed out the flaw during this year’s Black Hat security conference. It was previously discussed a year ago.
While a number of sites have written about the exploit, as it turns out, it might not be quite as big a deal as Check Point made it out to be.
Facebook gave this statement to The Next Web about the issue:
We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private — such as storing information about the origin of messages.
The crux of the issue is that if WhatsApp does address the issue, then it will also make the app less private. Having the exploit out there is arguably a much better proposition than fixing it at the expense of user privacy.
The process for an attacker to take advantage of the exploit is also pretty involved. That obviously doesn’t mean that someone won’t do it, but altering those messages isn’t exactly easy.
All that is to say: It isn’t a big deal. But maybe if you see that someone has sent something that seems exceptionally unusual, find another way to confirm that the message did in fact come from that person who supposedly wrote it.