Another week, and another story that again highlights the security issues and potential dangers of using WhatsApp in an enterprise environment.
This time, security researchers at Check Point have identified vulnerabilities in WhatsApp that would allow attackers to intercept and manipulate both private and group chat messages.
The vulnerabilities allow an attacker to impersonate chat participants – a classic man-in-middle attack. For CIOs this is yet another warning sign that the use of WhatsApp as a messaging app within enterprise environments can put sensitive information, and company reputation, at risk.
The team found three possible ways that WhatsApp could be exploited;
- Using WhatsApp’s “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
- Altering the text of someone else’s reply, essentially putting words in their mouth.
- Sending a private WhatsApp message to another WhatsApp group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.
The Check Point team highlights the threat of exploiting the vulnerabilities to share fake news (from an otherwise trusted source). But let’s just think about the vulnerabilities from an enterprise perspective.
From altering legal advice, and sharing incorrect information with a client, to sending damaging information to the press from a “trusted” company source - if communications are susceptible to social engineering, the number of damaging scenarios are alarming.
The basis for any enterprise messaging solution is trust – and if that doesn’t exist, relationships fail.
WhatsApp security wasn’t built for business
WhatsApp has acknowledged that it was possible for someone to manipulate the “quote” feature, but the company disagrees that it is a flaw. WhatsApp said the system was working as it had intended, because the trade-offs to prevent such a deception by verifying every message on the platform would create an enormous privacy risk or bog down the service.
This response is telling.
Remember, the majority of WhatsApp users are consumers. That means roadmap and feature decisions are not based on the requirements of business users, or CIOs.
Nobody can refute the huge success of Whatsapp, but its use as an “unofficial” enterprise messaging app has caused alarm among CIO’s for some time. It’s something we’ve covered on numerous occasions, and one of the reasons why the app has been named as one of the most blacklisted apps in enterprises.
Check Point has published technical details of the vulnerability and there’s also a video of the exploit in action.
Not all encrypted messaging apps are built equally
If you’re a CIO looking to deploy a robust, secure messaging app with end-to-end encryption, find out why Wire is the business collaboration and communication tool of choice by requesting a demo, or starting your free trial.