WhatsApp Security Backdoor Allows Facebook and Others to Read Encrypted Messages
A new security backdoor has been discovered in WhatsApp which could potentially allow Facebook and others to read encrypted messages. While we already know that WhatsApp offers end-to-end encryption, the backdoor was found within the popular messaging app itself. Moreover, Facebook had previously claimed that no one, including the company itself, could read WhatsApp messages. The answer rests in the implemented end-to-end encryption protocol. So let's see some more details on this WhatsApp security backdoor.
WhatsApp security vulnerability allows snooping in on encrypted messages
Intercepting and reading encrypted messages is a privacy breach which can be done by many institutions, including the government and other agencies. According to the privacy campaigners, the vulnerability discovered is a “huge threat to freedom of speech” and different types of agencies could snoop in on encrypted messages without a user's consent.
One of the major selling points of WhatsApp was privacy, that attracted many activists, diplomats and others in need of secure communication. With that said and the vulnerability discovered, WhatsApp could lose such users who're in dire need of secure communication.
WhatsApp's end-to-end encryption, developed by Open Whisper Systems, is based on the construction of unique security keys, making use of the acclaimed Signal protocol. The security keys are bartered among users and verified, ensuring that no medium is present in-between. However, WhatsApp does have the ability to generate new encrypted keys for users who are offline without their knowledge. They then allow the sender to encrypt messages and send them again for messages which have yet not been marked as delivered.
In this changing process, the sender is notified only if he or she has opted-in to encryption warnings, and only if the messages have been sent again. The vulnerability was discovered by a security researcher at the University of California, Tobias Boelter. He stated to the Guardian that “if WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
The issue was reported by Boelter to Facebook back in April of last year. Even though it was acknowledged by the company and that it was "expected behavior", the company was not heavily working on it. Boelter further noted.
“[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”
It all rests with time whether Facebook will work to fix the vulnerability for good. This is it, for now, folks. What are your thoughts on this WhatsApp security backdoor that allows Facebook and others to snoop in on encrypted messages? Let us know in the comments.