Two Spanish programmers have proved it’s possible to fake a WhatsApp message. By falsifying sender information, they sent a message that looked, to WhatsApp’s servers, like it was from someone else. In some countries, WhatsApp messages can be used as evidence in legal trials, but if it’s possible to plant fake messages, this could be undermined.
The duo, Pablo San Emeterio and Jaime Sánchez, had previously broken WhatsApp server security, prompting the company to improve it. WhatsApp now requires four ‘security keys’ to check a message is valid, but the two programmers managed to calculate the keys, and trick WhatsApp into thinking a message was genuine when it wasn’t. The meta data of a message was intercepted and changed, so it appeared to be from a different sender.
The issue for San Emeterio and Sánchez is that while it’s possible to circumvent WhatsApp security, it’s impossible to say with certainty who a message came from. The pair are security experts, and there is no suggestion that what they did is simple, but they have highlighted again how fragile online security can be.
Since its high profile purchase by Facebook, WhatsApp is sure to come under the spotlight even more, and the company will have to ensure its service is as secure as possible.
We’re reaching out to WhatsApp for comment.
Update: WhatsApp CEO Jan Koum has responded to this story, saying the hack actually happened on the phone that received the message, not WhatsApp servers. Find out more here.