The vulnerability was affecting feature for quoting messages stored in Android. Balachandar was able to change quoted message. He was able to quote messages that has never been sent by another participant in chat. So here’s how it looks when Balachandar exploited this vulnerability:
This is not the first time that Balachandar found security issue in WhatsApp, in March 2016 he was rewarded by WhatsApp’s co-founder Brian Acton. Balachandar reported more than 35 security issues in WhatsApp application.
Exploiting this vulnerability was not simple. The attacker have to modify the source code of the android application in order to spoof quoted messages. Since Balachandar is professional Android Developer, it wasn’t problem for him. The vulnerability is still not patched, but they are working on it. We hope it will be patched very soon and provide bug bounty for researcher who found this security issue and actively improving security.
Cool 😛
ReplyDelete