A security issue could allow Facebook and other parties to intercept and read the messages you send via WhatsApp.
The flaw, which is more of a design choice than anything, has to do with how WhatsApp generates unique security keys to ensure its users’ messages are protected with end-to-end encryption.
The popular messaging app leverages the Signal protocol, developed by Open Whisper Systems, to help users trade and verify security keys between themselves. This exchange process helps to secure a conversation. It prevents a middleman from eavesdropping on the content of each message.
But while WhatsApp uses the Signal protocol, it’s not exactly the same as the Snowden-approved messaging app. The difference is that WhatsApp automatically generates new security keys when a user goes offline, which means it re-encrypts a message that’s not been delivered using those new keys and sends it again. Doing so technically empowers WhatsApp, Facebook (its owner), and others to intercept and read the message.
Tobias Boelter, a cryptography and security researcher at the University of California Berkeley who discovered the flaw, says WhatsApp could exploit this protocol to comply with government requests for users’ data.
As he told The Guardian:
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
Could isn’t the same as would, however.
A spokesperson for WhatsApp stated as much in response to The Guardian’s article. They also took issue with the suggestion that WhatsApp would surrender users’ data to government officials without notifying them of its decision to do so. In reality, the company representative said this insinuation couldn’t be further from the truth.
As quoted in a statement published by TechCrunch:
“WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.”
Indeed, users of encrypted messaging app can activate a “Show Security Notifications” setting that alerts them if and when the security keys of one of their contacts change. Someone will receive a notification if they’ve enabled setting when their contact changes their phone or SIM card, for instance.
Still, that doesn’t mean WhatsApp should automatically resend the message without letting the user know about it first. What it could and probably should do is follow Signal’s example in notifying the user the keys have changed and not automatically resend a message. That way, a user could perhaps contact their correspondent via other means to inquire about the change in security keys. Alternatively, they might decide to end the conversation outright and delete the unsent message rather than risk getting exposed.
Is this flaw a government backdoor? No. But it is a chink in WhatsApp’s claim to protecting its users. Let’s hope the company thinks over this issue and decides to implement some changes as a result.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.