A security flaw in WhatsApp allows hackers to obtain and change messages, according to a report from security firm CheckPoint. The vulnerability enables the spreading of incorrect information between the app’s users, leading to possible online scams and interpersonal problems.

As of January 2018, Facebook-owned WhatsApp had 1.5 billion users, with 65 billion messages sent daily. The heightened popularity makes the app even more of a target for cybercriminals, and vulnerabilities in security protocol do not help matters.

SEE: Encryption policy (Tech Pro Research)

The flaw lies in WhatsApp’s encryption process, which is intended to protect all content transmitted via chat. Questions regarding the reliability of WhatsApp’s encryption aren’t new, but this discovery puts up even more red flags.

CheckPoint found that by decrypting WhatsApp, users can see exactly what protocols are being used in the app and alter them at will, opening the door to impersonation and misinformation.

Here are the major attack vectors outlined by Check Point:

  1. Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
  2. Alter the text of someone else’s reply, essentially putting words in their mouth.
  3. Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.

If you want to see the vulnerabilities in action, check out this demonstration from CheckPoint.

The big takeaways for tech leaders:

  • A WhatsApp security flaw lets attackers access messages and change them, according to research from CheckPoint.
  • The vulnerability lies in the encryption process, wherein hackers can decrypt the code and change the identity of users or the content of their messages.