You are here

Cybersecurity firm finds way to alter WhatsApp messages

San francisco

A CYBERSECURITY company said it had discovered a flaw in WhatsApp, the Facebook-owned messaging service with 1.5 billion users, that allows scammers to alter the content or change the identity of the sender of a previously delivered message.

By creating a hacked version of the WhatsApp application, scammers can change a "quote" - a feature that allows people within a chat to display a past message and reply to it - to give the impression that someone sent a message they did not actually send, according to the company, Check Point Software Technologies.

WhatsApp acknowledged that it was possible for someone to manipulate the quote feature, but the company disagreed that it was a flaw. WhatsApp said the system was working as it had intended, because the trade-offs to prevent such a deception by verifying every message on the platform would create an enormous privacy risk or bog down the service.

The company said it worked to find and remove anyone using a fake WhatsApp application to spoof the service. "We carefully reviewed this issue and it's the equivalent of altering an email," Carl Woog, a spokesman for WhatsApp, said in a statement.

What Check Point discovered had nothing to do with the security of WhatsApp's so-called end-to-end encryption, which ensures only the sender and recipient can read messages, he said.

WhatsApp has 1.5 billion users on its platform, making it the world's most widely used messaging app. It has gained popularity for the simplicity and security of its service, providing encryption so that even the company does not know the content of its users' messages. Facebook acquired WhatsApp in 2014 for US$19 billion.

Check Point said it also discovered a way within group chats to send a message to a specific individual within the discussion. That individual is tricked into believing that the whole group saw the message and responds accordingly.

WhatsApp played down the concerns raised by Check Point, saying most people know the person who they are messaging on the service. The company said 90 per cent of all messages on the service are sent in one-on-one conversations, and the majority of groups are six people or less - making it less likely that an unknown person can infiltrate a conversation to trick other users. NYTIMES

BT is now on Telegram!

For daily updates on weekdays and specially selected content for the weekend. Subscribe to