The flaws could have significant consequences because WhatsApp has about 1.5 billion users, and is used for personal conversations, business communications and political messaging, said Oded Vanunu, Check Point's head of products vulnerability research.
The flaws was revealed at the Black Hat conference, and to make matters worse it seems that Facebook was informed about the vulnerability over a year ago but has failed to patch it. The company is still working with WhatsApp to get the other vulnerabilities block, but it's proving challenging because of WhatsApp's encryption.
The tool also allows an attacker to change how the sender of the message is identified, making it possible to attribute a comment to a different source. The company said that the so-called vulnerability was akin to altering email replies.
Check Point Research says it found WhatsApp security flaws that allow other people in a group chat to put digital words in your mouth, meaning someone could make it look as if you said, "Ed Sheeran is the greatest singer of all time", even though you clearly didn't. Meanwhile, a participant in the group can access decrypted versions of messages while Facebook cannot intervene. If they find anything suspicious, they should verify with the sender in a private chat.
Additionally, Check Point discovered a way to fool you into mixing up private and non-private messages.
"This does not mean that users should stop using WhatsApp, as, while security bugs are of course unsafe, they are not uncommon in any type of software", said Chebyshev.
The three WhatsApp attack methods include the ability to send messages to another participant or group cloaked as a public message. For instance, the team discovered that a message saying "Great!" sent by a member of a group could be changed to something else - they replaced it with "I'm going to die, in a hospital right now". "We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private-such as storing information about the origin of messages", a Facebook spokesperson said.
"Instant messaging is a vital technology that serves us day to day". It has claimed that hackers can control public and private conversations in a negative way, causing harm to the user's identity and data. "We carefully reviewed this issue and it's the equivalent of altering an email", a WhatsApp spokesperson had told The New York Times a year ago.