PSA: Flaw in WeChat Design Makes it Easy to Impersonate Other Accounts


Tencent’s WeChat has, almost in the blink of an eye, grown into one of China’s biggest social platforms. But the service may have just bumped into a serious snafu: users are pointing out that the app’s policy of letting users switch nicknames and avatars freely makes it relatively easy for criminals to impersonate a friend or an official organization on the app. This isn’t just a China issue either; the international version is just as happy to let you impersonate whoever you’d like. For example, when I tried switching my name to “McDonalds” and my avatar to McDonalds’ real account’s avatar, the app seemed to have no problem with it:


Obviously Willis was able to see through my not-so-carefully-crafted ruse, but you can see how this really could cause problems. Anyone looking out for it would be able to catch the deception easily enough by looking at the fake account’s actual account name (which, unlike the nickname, can’t be easily changed). But casual or unsuspecting users may not think to do that, and with the right nickname and avatar, a convincing faker could do some disturbing things. One of the more obvious ruses: posing as a WeChat representative to collect user passwords.

When asked about this, a Tencent spokesperson told the Beijing Morning Post that WeChat is just a chat tool and there’s no way to bind real-name identities to WeChat accounts. The spokesperson also pointed out that users could avoid this problem by simply being careful about who they add as friends. It’s a fair point, but a bit rich coming from an app whose original marquee feature was its “shake-to-meet-strangers” capability.

But whether Tencent wants to or not, it could find itself directed to add a real name system to its popular mobile software. China’s government clearly prefers real-name platforms, and Sina Weibo was forced to add a real-name system (although it did a very half-assed job of implementing it). WeChat doesn’t have the political power that Weibo has, of course, so the government may not feel as obligated to keep a handle on who is saying what using the service. But if criminals really do start exploiting WeChat’s policies for fraud — there’s no evidence this is a common occurrence just yet — then the decision could be taken out of Tencent’s hands entirely.

In the meantime, let this be a warning to all of our readers on WeChat: if you get a message from a “friend” who wants to add you, be sure to double-check the actual WeChat username, because the nickname and avatar could be being used to fool you. (And of course, never give out your password to anyone, regardless of their nickname or avatar).

(And yes, we're serious about ethics and transparency. More information here.)

Read More