- A security firm has found a series of flaws in WhatsApp that could allow hackers to intercept and manipulate messages by changing the identity of a sender or altering their text.
- Attackers could literally “put words in [someone’s] mouth,” security firm Check Point Research wrote in a press release on Wednesday.
- This gives the attackers the power to “create and spread misinformation from what appear to be trusted sources,” Check Point said.
- Facebook, which owns WhatsApp, did not immediately respond to a request for comment.
- Visit Business Insider’s homepage for more stories.
A cybersecurity firm has discovered a flaw in WhatsApp that allows hackers to intercept and manipulate messages – potentially changing the identity of a message sender or altering their text.
Attackers could literally “put words in [someone’s] mouth,” Israeli firm Check Point Research said in a press release on Wednesday. It added that this gives the attacker the power to “create and spread misinformation from what appear to be trusted sources.”
Check Point reversed WhatsApp’s encryption algorithm and decrypted the data. Once it did so, it was able to see all the parameters that are sent between the web and mobile version of WhatsApp and manipulate this data.
So, for example, if it wanted to change your message, it captures the outgoing message from WhatsApp, decrypts the data, changes it to whatever it wants it to say, and then encrypts it back.
The Facebook-owned messaging app has more than 1.5 billion users and is used in 180 countries around the world; the average user checks the app 23 times a day. So, the potential for online scams, rumors, or fake news is huge, Check Point said.
While Facebook has fixed one of the flaws it identified – the ability for a hacker to send a private message to another group participant that is disguised as a public message – Check Point said two others remain unresolved.
One uses the “quote” feature in a group conversation to change the identity of the message sender. The second lets a bad actor manipulate the text of someone else’s reply.
Facebook did not immediately respond to Business Insider’s request for comment.
To raise awareness, Check Point has launched a tool that enables users to carry out the manipulations and see what these flaws look like in real life, according to the Financial Times.
“We think this is our obligation to escalate this,” Oded Vanunu, head of product vulnerability research at Check Point Research, told FT.
The news comes just months after WhatsApp confirmed that it had been hacked in May by bad actors who installed spyware on an unknown number of people’s smartphones, giving them access to their information such as location data or private messages.