Today WhatsApp has an audience of about 1.5 billion people around the world. Despite such an extensive user base, the developers still have not eliminated the vulnerability that allows you to intercept messages in personal and group correspondence.
At the Black Hat 2019 conference in Las Vegas, several options were demonstrated for exploiting the vulnerability with which hackers can:
- Correct messages by modifying them so that the recipient does not suspect that the author of the text was not the sender.
- Manage the citation function by referring to non-existent messages.
- Create the appearance that the message is sent to a single recipient, while it can get the whole community or a group of users.
About all these flaws programmers told WhatsApp developers in August last year. To date, only the last "hole" with group mailing has been eliminated, while the use of two other options for message manipulation is still relevant.
In addition, using the web version of WhatsApp, hackers are able to decrypt any correspondence. The interception of the access keys occurs at the time of creating the QR code. While the user starts the camera from the menu of the mobile client, the hacker intercepts a pair of encryption keys and after a successful connection gets access to the correspondence in unencrypted form. With such an access interception, it becomes possible to use the vulnerabilities mentioned above.
Facebook, which owns WhatsApp, previously commented that to fix such vulnerabilities can not "due to infrastructure restrictions" and the need to compromise between privacy and security. A solution may be a full desktop client, which is currently being worked on by the developers of the messenger.