WhatsApp is believed to be one of the most secure messaging applications, considering that it has the ability to encrypt messages in conversations and its founders have said that not even they can access them. However, it seems that a backdoor allows WhatsApp messages to be disclosed.
Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley told the Guardian that “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.” The cryptographer discovered the security backdoor in WhatsApp and said that Facebook and others could potentially intercept and read encrypted messages in the app.
Facebook had claimed that no one can intercept WhatsApp messages, not even company staff, but the new report seems to refute this. WhatsApp uses end-to-end encryption that generates unique security keys using the Signal protocol, created by Open Whisper Systems.
“A gold mine for security agencies”
WhatsApp provides offline users with encryption keys, and can make the sender re-encrypt messages with new keys and send undelivered messages again. The recipient isn’t notified about the change in encryption, while the sender is made aware only if they previously opted-in to encryption warnings under settings and only after the messages have been re-sent. Specifically this re-encryption method gives WhatsApp access to reading user messages.
Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy said that the backdoor is a “huge threat” to freedom of speech and “a gold mine for security agencies”, while some Twitter users warned others to stop using WhatsApp.
WhatsApp can resend undelivered messages with a new security key and thus give its staff access to them. It seems that the backdoor vulnerability isn’t linked to the Signal protocol, as Open Whisper Systems’ messaging app, Signal doesn’t suffer from it.
Facebook is reportedly aware of the issue, Boelter had reported the issue to the company in April 2016. The company had told the cryptographer that it was a known issue, describing it as “expected behavior”.