In April of last year, the popular messaging app WhatsApp announced that all types of communication offered by the service would be secured with end-to-end encryption.
However, as reported by The Guardian, right around the same time a cryptography and security researcher notified the developer, and Facebook, that a security bug made it possible for messages to be read not only by would-be attackers, but also by Facebook.
The researcher is Tobias Boelter, and he works out of the University of California-Berkley. In his research, he discovered that WhatsApp creates new encryption keys for undelivered messages. Those could be either sent to a person that is offline, or a person that has changed their phone number. Either way, those messages can be intercepted, and, what’s more, WhatsApp actually has another version of that same message on its servers, because it’s creating a different version of that message.
According to Boelter, this means:
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
Perhaps what is most interesting, though, is that Boelter reached out to WhatsApp and Facebook, informing them of the security bug. In a response, Facebook told him that they are “not actively working on changing” anything. As a result, this is now being considered a legitimate backdoor in the software.
Speaking for WhatsApp, a spokesperson said:
“We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”
Update: A WhatsApp spokesperson has reached out, and provided the following statement on behalf of the company:
“The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams.** This claim is false.**
WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report. (https://govtrequests.facebook.com/)”
Do you use WhatsApp?[via The Guardian]
Like this post? Share it!