Update, 9:08am: WhatsApp has provided a statement to Greenbot. This article was updated to reflect this.
When Facebook’s WhatsApp turned on end-end-end encryption in its messaging service last year, it was a big deal. As all eyes were glued on Apple’s fight with the FBI over unlocking the San Bernardino shooter’s iPhone, WhatsApp took a huge step toward protecting its users’ privacy by moving to encrypt all messages and calls being sent between its apps.
But a new report suggests it might not be as secure as users think. According to The Guardian, a serious vulnerability in WhatApp’s encryption could allow Facebook to intercept and read messages unbeknownst to the recipient, and only aware of by the sender if they have previously opted in to receive encryption warnings. The security flaw, which was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, can “effectively grant access (to users’ messages)” by changing the security keys and resending messages.
“WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol … to guarantee communications are secure and cannot be intercepted by a middleman,” the paper wrote. “However, WhatsApp has the ability to force the generation of new encryption keys for offline users … and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.”
While there is no evidence to suggest WhatsApp has used the flaw to surreptitiously intercept messages, Boelter says he reported the vulnerability to Facebook back in April 2016 but was informed that it was “expected behavior.” According to The Guardian the security flaw, which still exists in the latest version of the service’s encryption, is exasperated by WhatsApp’s habit of automatically resending undelivered messages without authorization by the user.
According the Whatsapp its website, end-to-end encryption is always activated when using the service, and there is no way to turn it off. Additionally, each conversation has its own optional verification process that can be used to verify that calls and messages are end-to-end encrypted. In a statement provided to Greenbot, WhatsApp defended the “intentional design decision” and slammed The Guardian’s characterization of it as false:
“WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”
The impact on you at home: Hopefully, there is none. While the flaw in WhatsApp certainly has the appearance of being nefarious, there is nothing to suggest that users’ messages are actively being compromised. That being said, it’s not a bad idea to head over to your account’s security settings and turn on the Show security notifications toggle.
Sign up for CIO Asia eNewsletters.