How WhatsApp's Latest Security Bug Could Gaslight You
The latest WhatsApp vulnerability could let hackers impersonate you and gaslight your chat group buddies. Should you be worried? In the video below, our CTO Floh explains how the flaw works and why using end-to-end encryption is still a good thing.
Right. So WhatsApp has a gaslighting problem. Or rather, they have a vulnerability. That means that messages can be tweaked in a way that makes them seem like they’re possibly something other than what the sender intended them to be. And so that’s a pretty interesting way of digging into some of the issues and some of the problems that we try to solve in secure messaging, and secure communications in general.
So what’s going on with WhatsApp is that whenever you send a message in a group chat, or in a one on one message, there are a whole bunch of properties associated with messages that aren’t just its content. So, you know, it’s, it’s the stuff that we call metadata generally. And so that’s, for example, who sent this message? What time was it sent at? What’s the context that it was sent in, and all of these kinds of properties that maybe aren’t very obvious and are sort of subtle, but are really important, and how WhatsApp is going to then show this message to you.
And the thing that’s going wrong, and what Whatsapp recently discovered, is that these properties are not being validated. So what that means is that maybe I can send a message that’s actually for me, but I can tweak it after the fact to make it seem like it’s from someone else in the chat. And so this is what I mean by gaslighting right, you can, you can make it seem like someone said something that they didn’t. And there’s a whole bunch of similar things where the attacker can screw with the metadata. And then they can make messages seem like something malicious, or, you know, they can just kind of find clever ways to manipulate a conversation.
The thing about this is that it’s not really it’s not about the encryption. The encryption in WhatsApp, as in other applications, ensures that people cannot eavesdrop if they’re not in the conversation. But encryption alone cannot protect you from these kinds of manipulations coming from people that are already in the chat. Because this is one of the crucial things about this kind of attack is that it requires that the person who is the attacker already be in contact with the people that they’re trying to manipulate or spoof or whatever.
And so this really isn’t about the encryption. This is something that’s specific to Whatsapp design and something that they could actually fix without changing the way that their encryption works at all. And so it doesn’t affect anything else. This using end-to-end encryption and end-to-end encryption is still a good thing. It’s just that there are other things that are also great that you should look for in a product that is trying to give you security.