SAN FRANCISCO — A cybersecurity company said it had discovered a flaw in WhatsApp, the Facebook-owned messaging service with 1.5 billion users, that allows scammers to alter the content or change the identity of the sender of a previously delivered message.
By creating a hacked version of the WhatsApp application, scammers can change a “quote” — a feature that allows people within a chat to display a past message and reply to it — to give the impression that someone sent a message they did not actually send, according to the company, Check Point Software Technologies.
WhatsApp acknowledged that it was possible for someone to manipulate the quote feature, but the company disagreed that it was a flaw. WhatsApp said the system was working as it had intended, because the trade-offs to prevent such a deception by verifying every message on the platform would create an enormous privacy risk or bog down the service. The company said it worked to find and remove anyone using a fake WhatsApp application to spoof the service.
“We carefully reviewed this issue and it’s the equivalent of altering an email,” Carl Woog, a spokesman for WhatsApp, said in a statement. What Check Point discovered had nothing to do with the security of WhatsApp’s so-called end-to-end encryption, which ensures only the sender and recipient can read messages, he said.
WhatsApp has 1.5 billion users on its platform, making it the world’s most widely used messaging app. It has gained popularity for the simplicity and security of its service, providing encryption so that even the company does not know the content of its users’ messages. Facebook acquired WhatsApp in 2014 for $19 billion.
But it has come under fire in recent months for the spread of misinformation on its platform. In India, false rumors about child kidnappers circulating through WhatsApp led to mob violence. In Brazil, false stories about deadly reactions to vaccines for the yellow fever spread over the messaging service.