A security firm has found a series of flaws in WhatsApp that could allow hackers to intercept and manipulate messages by changing the identity of a sender or altering their text.

Attackers could literally "put words in [someone's] mouth," security firm Check Point Research wrote in a press release on Wednesday.

This gives the attackers the power to "create and spread misinformation from what appear to be trusted sources," Check Point said.

Facebook, which owns WhatsApp, did not immediately respond to a request for comment.

Visit Business Insider's homepage for more stories.

A cybersecurity firm has discovered a flaw in WhatsApp that allows hackers to intercept and manipulate messages — potentially changing the identity of a message sender or altering their text.

Attackers could literally "put words in [someone's] mouth," Israeli firm Check Point Research said in a press release on Wednesday. It added that this gives the attacker the power to "create and spread misinformation from what appear to be trusted sources."

Check Point reversed WhatsApp's encryption algorithm and decrypted the data. Once it did so, it was able to see all the parameters that are sent between the web and mobile version of WhatsApp and manipulate this data.

So, for example, if it wanted to change your message, it captures the outgoing message from WhatsApp, decrypts the data, changes it to whatever it wants it to say, and then encrypts it back.

The Facebook-owned messaging app has more than 1.5 billion users and is used in 180 countries around the world; the average user checks the app 23 times a day. So, the potential for online scams, rumors, or fake news is huge, Check Point said.

Read more: A security flaw found in WhatsApp and Telegram on Android lets hackers mess with your photos, payments, and voice notes

While Facebook has fixed one of the flaws it identified – the ability for a hacker to send a private message to another group participant that is disguised as a public message – Check Point said two others remain unresolved.

One uses the "quote" feature in a group conversation to change the identity of the message sender. The second lets a bad actor manipulate the text of someone else's reply.

To raise awareness, Check Point has launched a tool that enables users to carry out the manipulations and see what these flaws look like in real life, according to the Financial Times.

"We think this is our obligation to escalate this," Oded Vanunu, head of product vulnerability research at Check Point Research, told FT.

The news comes just months after WhatsApp confirmed that it had been hacked in May by bad actors who installed spyware on an unknown number of people's smartphones, giving them access to their information such as location data or private messages.

In a statement later emailed to Business Insider, a spokesperson for Facebook said:

We carefully reviewed this issue a year ago and it is false to suggest there is a vulnerability with the security we provide on WhatsApp. The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn't write. We need to be mindful that addressing concerns raised by these researchers could make WhatsApp less private - such as storing information about the origin of messages.