There’s a security backdoor in WhatsApp that can be used by parent Facebook, government agencies and others to intercept and read encrypted messages sent through the popular mobile phone messaging app, according to a report.
The Guardian reported exclusively on Friday about the backdoor, saying it flies in the face of claims by Facebook that messages sent securely using the app’s end-to-end encryption cannot be intercepted, even by the social networking company’s own employees.
But a problem in the way WhatsApp’s encryption has been implemented allows for interception, according to the report. It said a cryptography researcher at the University of California, Berkeley, Tobias Boelter, had uncovered the vulnerability.
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter is quoted by The Guardian as saying.
He reportedly informed Facebook of the problem in April, but the company has failed to address it, calling it “expected behaviour”.
WhatsApp has more than a billion daily active users, some of whom use the service to share sensitive information on the understanding that it cannot be intercepted.
According to The Guardian, the vulnerability is caused by the fact that WhatsApp “has the ability to force the generation of new encryption keys for offline users, unbeknownst to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered”.
“The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.”
WhatsApp hits back
WhatsApp, meanwhile, has hit back at any suggestion that it intentionally created a backdoor that allows governments to force it to decrypt message streams.
“WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor,” it said in a statement e-mailed to TechCentral.
“The design decision referenced in The Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks,” it said.
“WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report. — (c) 2017 NewsCentral Media