U.S. Markets open in 3 hrs 51 mins

WhatsApp Flaws Could Allow Hackers to Alter Messages

Andrew Martin and Kartikay Mehrotra

(Bloomberg) -- A cybersecurity firm says it has identified flaws in the popular messaging app WhatsApp that could allow hackers to manipulate messages in both public and private conversations, raising the prospect of misinformation being spread by what appears to be trusted sources.

Check Point Software Technologies Ltd., an Israeli company that provides security for computer networks, said its researchers found three potential ways to alter conversations. One uses the "quote" feature in a group conversation to change the appearance of the identity of a sender. Another lets a hacker change the text of someone else’s reply. And the other, which has been fixed, would let a person send a private message to another group participant disguised as a public message to all, so when the targeted individual responded, it was visible to everyone in the conversation.

“We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp,” a spokesperson for Facebook Inc., which owns WhatsApp, said in an emailed statement. “The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private - such as storing information about the origin of messages.”

The flaws could have significant consequences because WhatsApp has about 1.5 billion users, and is used for personal conversations, business communications and political messaging, said Oded Vanunu, Check Point’s head of products vulnerability research.

Check Point said it alerted WhatsApp about the flaws late last year. But the company said only one of the flaws -- disguising a private message as one that becomes visible to an entire group -- has been addressed. Vanunu said his company is working with WhatsApp, but the other problems were difficult to solve because of the messaging app’s encryption.

(Updates with WhatsApp comment in third paragraph.)

To contact the reporters on this story: Andrew Martin in New York at amartin146@bloomberg.net;Kartikay Mehrotra in San Francisco at kmehrotra2@bloomberg.net

To contact the editors responsible for this story: Tom Giles at tgiles5@bloomberg.net, Andrew Martin, Anne VanderMey

For more articles like this, please visit us at bloomberg.com

©2019 Bloomberg L.P.