WhatsApp issue lets users manipulate chats to ‘put words in people’s mouths’

Security flaw means people can alter the text of someone else's reply, 'essentially putting words in their mouth'

Anthony Cuthbertson
Thursday 08 August 2019 19:58 BST
In a group conversation Whatsapp users can change the identity of a sender
In a group conversation Whatsapp users can change the identity of a sender (Getty)

Support truly
independent journalism

Our mission is to deliver unbiased, fact-based reporting that holds power to account and exposes the truth.

Whether $5 or $50, every contribution counts.

Support us to deliver journalism without an agenda.

Louise Thomas

Louise Thomas


Security researchers have discovered a security vulnerability with WhatsApp that allows messages to be manipulated in group chats.

In a blog post detailing their findings, Check Point Research said the security flaw means people can edit someone's reply, "essentially putting words in their mouth".

The Facebook-owned messaging app, which has over 1.5 billion users around the world, is yet to properly fix the bug, despite Check Point Research notifying WhatsApp in 2018. WhatsApp has been contacted for comment.

When the vulnerabilities were first discovered, Facebook likened the issue to "altering an email" to make it look like something a person never wrote.

"This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp," the technology giant said.

"We take the challenge of misinformation seriously and recently placed a limit on forwarding content, added a label to forwarded messages, and made a series of changes to group chats."

The researchers found three possible methods of attack by exploiting the issue. The first involves using the 'quote' feature in a group conversation to change the identity of the sender.

The second is to alter the text of a person's rely, while the third involves sending a private message that actually appears as a public message.

Check Point said only the third of these vulnerabilities has so far been fixed by WhatsApp, despite these issues being of "the utmost importance" and requiring immediate attention.

"Given all the chatter, the potential for online scams, rumours and fake news is huge," Check Point Research wrote in a blog post.

"Threat actors have an additional weapon in their arsenal to leverage the messaging platform for their malicious intentions."

Check Point’s head of products vulnerability research, Oded Vanunu, told The Independent: "Instant messaging is a vital technology that serves us day-to-day, we manage our private and professional life on this platform and it’s our role in the infosec industry to alert on scenarios that might question the integrity. WhatsApp was very responsive, but took few actions, including fixing one of the manipulation scenarios."

The cyber security firm built a custom tool to take advantage of the flaw, which was demonstrated at the Black Hat conference in Las Vegas this week.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in