TIA Insights

Sign up and have the pulse of tech & startups in Asia at your fingertips.

Yes, I care

PSA: Flaw in WeChat Design Makes it Easy to Impersonate Other Accounts

C. Custer
C. Custer
10:30 am on Jul 9, 2013

Tencent’s WeChat has, almost in the blink of an eye, grown into one of China’s biggest social platforms. But the service may have just bumped into a serious snafu: users are pointing out that the app’s policy of letting users switch nicknames and avatars freely makes it relatively easy for criminals to impersonate a friend or an official organization on the app. This isn’t just a China issue either; the international version is just as happy to let you impersonate whoever you’d like. For example, when I tried switching my name to “McDonalds” and my avatar to McDonalds’ real account’s avatar, the app seemed to have no problem with it:


Obviously Willis was able to see through my not-so-carefully-crafted ruse, but you can see how this really could cause problems. Anyone looking out for it would be able to catch the deception easily enough by looking at the fake account’s actual account name (which, unlike the nickname, can’t be easily changed). But casual or unsuspecting users may not think to do that, and with the right nickname and avatar, a convincing faker could do some disturbing things. One of the more obvious ruses: posing as a WeChat representative to collect user passwords.

When asked about this, a Tencent spokesperson told the Beijing Morning Post that WeChat is just a chat tool and there’s no way to bind real-name identities to WeChat accounts. The spokesperson also pointed out that users could avoid this problem by simply being careful about who they add as friends. It’s a fair point, but a bit rich coming from an app whose original marquee feature was its “shake-to-meet-strangers” capability.

But whether Tencent wants to or not, it could find itself directed to add a real name system to its popular mobile software. China’s government clearly prefers real-name platforms, and Sina Weibo was forced to add a real-name system (although it did a very half-assed job of implementing it). WeChat doesn’t have the political power that Weibo has, of course, so the government may not feel as obligated to keep a handle on who is saying what using the service. But if criminals really do start exploiting WeChat’s policies for fraud — there’s no evidence this is a common occurrence just yet — then the decision could be taken out of Tencent’s hands entirely.

In the meantime, let this be a warning to all of our readers on WeChat: if you get a message from a “friend” who wants to add you, be sure to double-check the actual WeChat username, because the nickname and avatar could be being used to fool you. (And of course, never give out your password to anyone, regardless of their nickname or avatar).

Get The Latest Tech News

By email:

   Daily newsletter

   Weekly summary

   Member-only content

Sign up now

Follow us:



Have Your Say
  • Andao

    I don’t see how it’d be hard for WeChat to implement real name registration. Don’t they require you have a phone number to register? That would already be tied to a name.

  • Philip

    Andao, the difficulty obviously doesn’t lie in the technical details….