
Cybersecurity Firm Finds Way to Alter WhatsApp Messages - denzil_correa
https://www.nytimes.com/2018/08/07/technology/whatsapp-security-concern.html
======
saurik
This is because messages can be repudiated, which is definitely intentional
and definitely a feature. This author of this article makes it sound like some
lame defense and goes into the idea of this being used in the wild like some
kind of an attack, but repudiation is an important feature, not a bug.

Even more annoying are these so-called cybersecurity researchers--"Check Point
Software"\--claiming "The public relies on the integrity of the message,
WhatsApp needs to adjust to prevent this simple manipulation." It definitely
makes me embarrassed for my field :/.

~~~
marcolussetti
Check Point is the people who bought Zone Alarm, right?

------
davnicwil
To be clearer, as I understand it you can only manipulate the displayed
content of a message you are 'replying' to, not literally the original
message.

If you click on the replied to message, it takes you back to the original, so
this kind of manipulation is very simple to verify in cases where doing so
would be important.

Doesn't seem like a very useful exploit in practice.

~~~
crtasm
Yes, it's like editing the quoted text in an email except 1) even easier to
check if it was done to you and 2) can't be done with the standard client.

~~~
dstick
In that case calling it an exploit and the author a security researcher is
laughter inducing at best! :)

------
mkagenius
Oh! So, whatsapp takes everything from a sender including the previous text.
Can't it have as some kind of reference (hash or uuid) since the receiving
party already has the original text?

~~~
saurik
Actually, the receiving party might not have the original text, as you might
be replying to a message sent before they joined the group.

~~~
mkagenius
> the receiving party might not have the original text

Sadly, that's why I wouldn't build such a feature (or whatsapp) and remain
poor whole of my life.

~~~
saurik
LOL ;P. It just occurred to me there is another even simpler case: the other
user also might have cleared their message history since the message was sent.
FWIW, I entirely believe you would have discovered these corner cases early in
the testing process (were you to have gone ahead and started to build WhatsApp
;P).

------
fjsolwmv
The article isn't so bad but the headline and "lede" are very misleading, and
the journalist presents it as "two sides of the story" instead of trying to
understand the level of exaggeration in the "security" researchers' claim.

