Check Point says WhatsApp weakness enables attackers to send false information

Check Point Software Technologies said Wednesday it had uncovered a security flaw in WhatsApp that gives hackers the possibility “to intercept and manipulate messages sent by those in a group or private conversation” as well as “create and spread misinformation,” The Times of Israel reported.

It said the flaw allows hackers to change the identity of the sender, to alter the text of someone else’s reply, and to send a private message that is visible to everyone in the conversation. Check Point warned that intruders could use such weaknesses for various criminal activities, causing personal and financial harm to users worldwide.

Check Point’s Oded Vanunu said the company had notified WhatsApp, which responded that it could not immediately fix the breach due to the way the app is constructed.

“Since people have been murdered in India and Brazil due to fake WhatsApp messages, and since WhatsApp is admissible evidence in courts around the world, we decided we couldn’t keep it to ourselves,” he said. He pointed out that “WhatsApp has long since stopped being simply an app — it has become an infrastructure that serves institutions, organizations, schools and industry.”

A WhatsApp spokesperson said the issue “has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp.” He noted the company recently placed a limit on forwarding content, added a label to forwarded messages, and made a series of changes to group chats in order to avoid misinformation.

Last month WhatsApp announced limits on forwarding messages, after the Indian government threatened to take action when more than 20 people were butchered by crazed mobs after being accused of child kidnapping and other crimes in viral messages on WhatsApp.

Founded in 2009 and purchased by Facebook in 2014, WhatsApp said in January it had more than 1.5 billion users who exchanged some 65 billion messages per day.