WhatsApp adopted end-to-end encryption last year, ushering in an era of privacy and confidentiality to all of its 1 billion users. It was a bold move, one that was entirely supportive of consumer rights and as a result, the Facebook-owned company was cheered for its actions. Unfortunately, soon followed the news that the messaging service would be sharing its user data with Facebook in a bid to monetise the platform. And now the latest caveat, a backdoor that has existed for months in the app’s framework.
While WhatsApp uses the highly secure Signal Protocol as part of its encryption feature, the same protocol utilised by the Signal app, it turns out the messaging platform added its own code to it. Instead of being unable to read any of its users’ messages, WhatsApp can intercept and read the messages, without the sender or reader being aware at the time.
The security flaw was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. The added code allows the company to force the generation of new encryption keys for offline users. Once WhatsApp forces an update to the security keys, all undelivered messages are then automatically re-encrypted and sent again with the new keys without the knowledge or consent of the sender. Boelter initially reported the vulnerability to Facebook back in April last year, but was later informed the issue was “expected behaviour” and not strictly a bug.
While users won’t be open to outside hacks, the feature gives Facebook or WhatsApp the ability to read your messages, something it may be compelled to do by governments. The messaging company has however countered that argument with the following statement:
“The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams.This claim is false.
WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.”
