WhatsApp privacy bug that allows remote altering of messages is still not patched: report

“The potentially high-risk flaw was identified nearly a year ago by Check Point Security, but has reportedly remained unpatched even now.”

A WhatsApp privacy bug that exploits a vulnerability in the end-to-end message encryption system in the app has reportedly remained without a patch for over a year now, sparking off concerns regarding the privacy of personal chat messages. The issue was first discovered by Israeli cybersecurity research firm Check Point, which revealed different ways in which hackers might be able to exploit the vulnerability to alter sender’s identity, change the content of a sent message, and even expose a private message to a group, thereby creating an atmosphere of misinformation, confusion, and false alibi.

Check Point reportedly alerted WhatsApp about its findings, which could essentially be a critical flaw in the system that could compromise the safety of many sensitive conversations. Speaking at the ongoing Black Hat security conference in Las Vegas, US, Check Point’s senior researchers revealed that these flaws are still operating at large, and despite being alerted about it, WhatsApp is yet to take corrective action in order to patch these bugs. However, an IANS report quoted a Facebook spokesperson as stating that the claim may not be entirely factual, and went on to explain that addressing such a flaw would make WhatsApp’s operations less private, since it would involve storing information regarding the sender of a message, and the origin point of a text, which are typically hidden through encryption.


It is not quite clear how these vulnerabilities are exploited since WhatsApp has always maintained that its encryption standard is strong, and cannot be easily diluted to tap into a private message. Security researchers have, from time to time, claimed that the end-encrypted messages can be compromised, or be broken into in order to identify sender information, source points of sensitive messages and so on — all of which have been categorically denied by WhatsApp. Check Point’s vulnerabilities, which can be used extensively to create misinformation if they are indeed operational, can prove to be particularly sensitive, and undermine the security standard that WhatsApp offers its users.

Misinformation has been an important part of WhatsApp’s troubles of late, with forwarded fake messages having already played its part in spreading communal violence in the past and even leading to deaths. On this note, WhatsApp has acknowledged the social responsibility of the company and has been attempting to adopt different ways to make a user aware of a message that can be misleading. WhatsApp still maintains that it cannot simply tap into a message because of its encryption standard, but given the scope of this finding that has again come to light, it remains to be seen how the company proceeds in order to deal with such a sensitive issue.