WhatsApp, world’s leading cross-platform instant messaging client for smartphones got hacked by 21 years old security researcher – Balachandar Karthikeyan. This messaging service have a lot of features, but it always come with big responsibility. Since they got acquired by Facebook, they provide bug bounty and WhatsApp platform is under the scope of Facebook’s security.
The vulnerability was affecting feature for quoting messages stored in Android. Balachandar was able to change quoted message. He was able to quote messages that has never been sent by another participant in chat. So here’s how it looks when Balachandar exploited this vulnerability:
Exploiting this vulnerability was not simple. The attacker have to modify the source code of the android application in order to spoof quoted messages. Since Balachandar is professional Android Developer, it wasn’t problem for him. The vulnerability is still not patched, but they are working on it. We hope it will be patched very soon and provide bug bounty for researcher who found this security issue and actively improving security.