A cybersecurity firm says it has identified flaws in the popular messaging app WhatsApp that could allow hackers to manipulate messages in both public and private conversations, raising the prospect of misinformation being spread by what appears to be trusted sources.
Check Point Software Technologies Ltd., an Israeli company that provides security for computer networks, said its researchers found three potential ways to alter conversations. One uses the “quote” feature in a group conversation to change the appearance of the identity of a sender.
Another lets a hacker change the text of someone else’s reply. And the other, which has been fixed, would let a person send a private message to another group participant disguised as a public message to all, so when the targeted individual responded, it was visible to everyone in the conversation.
A WhatsApp spokeswoman declined to comment.
The flaws could have significant consequences because WhatsApp has about 1.5 billion users, and is used for personal conversations, business communications and political messaging, said Oded Vanunu, Check Point’s head of products vulnerability research.
Check Point said it alerted WhatsApp, which is owned by Facebook Inc., about the flaws late last year. But the company said only one of the flaws — disguising a private message as one that becomes visible to an entire group — has been addressed.
Vanunu said his company is working with WhatsApp, but the other problems were difficult to solve because of the messaging app’s encryption.