Israeli cybersecurity firm Check Point Software Technologies has identified flaws in the popular messaging app WhatsApp that could allow hackers to manipulate messages in both public and private conversations.
This raises the prospect of misinformation being spread by what appears to be trusted sources.
The company provides security for computer networks and it said its researchers found three potential ways to alter conversations.
Using the ‘quote’ feature in a group conversation, the hacker can change the appearance of the identity of a sender.
Another way is to let the hacker change the text of someone else’s reply.
And the third, which has been fixed, is to let a person send a private message to another group participant disguised as a public message to all, so when the targeted individual responds, it is visible to everyone in the conversation.
Check Point’s head of products vulnerability research Oded Vanunu said these hacks can have significant consequences with WhatsApp having about 1.5 billion users and it is used for personal conversations, business communications and political messaging.
The company contacted WhatsApp, which is owned by Facebook about the flaws late last year.
Only one of the flaws, disguising a private message as one that becomes visible to an entire group has been addressed.
Vanunu said Check Point is working with WhatsApp but the other problems are difficult to solve because of the messaging app’s encryption.
In May, WhatsApp revealed a vulnerability in its system that could have allowed hackers access to its users’ phones.
The encrypted messaging service said at that time it had discovered and fixed the vulnerability the attackers had sought to exploit.
Media sources then said it is a company that was responsible for the hacking. They named the company saying it is an Israeli outfit (not the same company mentioned above) that developed a powerful piece of malware designed to spy on victims.
In this instance, hackers could implant malicious code on a victim’s phone by placing a voice call to the victim on WhatsApp.
The victims may not even have needed to answer the call for their phone to be infected, CNN reported.