SAN FRANCISCO — A cybersecurity company said it had discovered a flaw in WhatsApp, the Facebook-owned messaging service with 1.5 billion users, that allows scammers to alter the content or change the identity of the sender of a previously delivered message.
By creating a hacked version of the WhatsApp application, scammers can change a “quote” — a feature that allows people within a chat to display a past message and reply to it — to give the impression that someone sent a message they did not actually send, according to the company, Check Point Software Technologies.
WhatsApp acknowledged that it was possible for someone to manipulate the quote feature, but the company disagreed that it was a flaw. WhatsApp said the system was working as it had intended, because the trade-offs to prevent such a deception by verifying every message on the platform would create an enormous privacy risk or bog down the service. The company said it worked to find and remove anyone using a fake WhatsApp application to spoof the service.
“We carefully reviewed this issue and it’s the equivalent of altering an email,” Carl Woog, a spokesman for WhatsApp, said in a statement. What Check Point discovered had nothing to do with the security of WhatsApp’s so-called end-to-end encryption, which ensures only the sender and recipient can read messages, he said.
WhatsApp has 1.5 billion users on its platform, making it the world’s most widely used messaging app. It has gained popularity for the simplicity and security of its service, providing encryption so that even the company does not know the content of its users’ messages. Facebook acquired WhatsApp in 2014 for $19 billion.
But it has come under fire in recent months for the spread of misinformation on its platform. In India, false rumors about child kidnappers circulating through WhatsApp led to mob violence. In Brazil, false stories about deadly reactions to vaccines for the yellow fever spread over the messaging service.
Mr. Woog of WhatsApp said the company was taking “the challenge of misinformation seriously,” putting limits on how widely a message can be shared to different groups and attaching labels when a message has been forwarded. However, WhatsApp said the issue raised by Check Point was unrelated to its efforts to curb misinformation.
Oded Vanunu, head of vulnerability research at Check Point, said the ability to alter messages gave attackers a powerful tool to spread misinformation from what appeared to be a trusted source. It is especially problematic in group chats, which can include up to 256 people. Multiple messages can come in at once and it can be easy to lose track of what someone has said, he said.
“The public relies on the integrity of the message,” said Mr. Vanunu. “WhatsApp needs to adjust to prevent this simple manipulation.”
For now, the issue appears limited to a discussion among security experts. Both WhatsApp and Check Point Software said they had not seen regular users creating fake quote messages in chats.
Check Point said it also discovered a way within group chats to send a message to a specific individual within the discussion. That individual is tricked into believing that the whole group saw the message and responds accordingly.
WhatsApp played down the concerns raised by Check Point, saying most people know the person who they are messaging on the service. The company said 90 percent of all messages on the service are sent in one-on-one conversations, and the majority of groups are six people or less — making it less likely that an unknown person can infiltrate a conversation to trick other users.
A person can check the validity of a quote message by clicking on it. Doing so will take you back to the point in the chat when the message was sent unless the message was deleted or the person was not a participant in the chat when the message was sent.
WhatsApp said the potential fixes to this issue were not worth trying. One solution would be to create transcripts of every message exchange to verify the accuracy of every quote. Creating such a transcript is a significant privacy risk because those accounts of what people wrote to each other must be stored somewhere, the company said.
Follow Daisuke Wakabayashi on Twitter: @daiwaka