WhatsApp bug: Messages ‘can be intercepted and read’
Update (January 17th): In response to the Guardian’s original exclusive, Moxie Marlinspike, a security expert and founder of Open Whisper Systems, said that the newspaper’s report about WhatsApp having a backdoor is false. He said, among other things: “The fact that WhatsApp handles key changes is not a ‘backdoor’; it is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.
A WhatsApp ‘security issue’ has been identified, meaning third parties may be able to both intercept and read encrypted messages, according to new research.
Discovered by Tobias Boelter, a security researcher at the University of California, Berkeley, the flaw is said to contradict the company’s assertion that no-one is capable of deciphering messages sent between users.
Further, in a Guardian exclusive, it was revealed that Boelter had made WhatsApp’s parent company Facebook aware of the bug last year in April.
In response, the tech giant said that it knew of the issue and that that it wasn’t “actively being worked on”. According to the newspaper, the vulnerability still hasn’t been fixed.
The bug exists as a result of the way in which WhatsApp has put in place its end-to-end encryption protocol, the Guardian explained.
“WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol … that are traded and verified between users to guarantee communications are secure,” it stated.
“WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.”
It is this process that, in effect, allows for supposedly encrypted messages to be made readable.
However, as Boelter noted, if WhatsApp were requested by a national security agency to hand over information, it could also ask for that data to come in a decrypted form.
Responding to the Guardian story, WhatsApp denied that there was a backdoor in its app.
“WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor,” it said in a statement to TechCrunch.
“The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”
In related news, ESET’s Lucas Paus revealed that another scam is doing the rounds on the app.
In this instance, the fraudsters behind this hoax claim that users can benefit from a free internet service, without the need to use Wi-Fi. However, it’s all completely made up.