WhatsApp vulnerability could expose messages to prying eyes, report claims
Security

WhatsApp vulnerability could expose messages to prying eyes, report claims

Update, 9:08am: WhatsApp has provided a statement to Greenbot. This article was updated to reflect this.

When Facebook’s WhatsApp turned on end-end-end encryption in its messaging service last year, it was a big deal. As all eyes were glued on Apple’s fight with the FBI over unlocking the San Bernardino shooter’s iPhone, WhatsApp took a huge step toward protecting its users’ privacy by moving to encrypt all messages and calls being sent between its apps.

But a new report suggests it might not be as secure as users think. According to The Guardian, a serious vulnerability in WhatApp’s encryption could allow Facebook to intercept and read messages unbeknownst to the recipient, and only aware of by the sender if they have previously opted in to receive encryption warnings. The security flaw, which was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, can “effectively grant access (to users’ messages)” by changing the security keys and resending messages.

“WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol … to guarantee communications are secure and cannot be intercepted by a middleman,” the paper wrote. “However, WhatsApp has the ability to force the generation of new encryption keys for offline users … and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.”

While there is no evidence to suggest WhatsApp has used the flaw to surreptitiously intercept messages, Boelter says he reported the vulnerability to Facebook back in April 2016 but was informed that it was “expected behavior.” According to The Guardian the security flaw, which still exists in the latest version of the service’s encryption, is exasperated by WhatsApp’s habit of automatically resending undelivered messages without authorization by the user.

According the Whatsapp its website, end-to-end encryption is always activated when using the service, and there is no way to turn it off. Additionally, each conversation has its own optional verification process that can be used to verify that calls and messages are end-to-end encrypted. In a statement provided to Greenbot, WhatsApp defended the “intentional design decision” and slammed The Guardian’s characterization of it as false:

“WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”

The impact on you at home: Hopefully, there is none. While the flaw in WhatsApp certainly has the appearance of being nefarious, there is nothing to suggest that users’ messages are actively being compromised. That being said, it’s not a bad idea to head over to your account’s security settings and turn on the Show security notifications toggle.

IDG Insider

PREVIOUS ARTICLE

«Android device updates: the Galaxy S7 and S7 Edge are finally getting Nougat

NEXT ARTICLE

After MongoDB, ransomware groups hit exposed Elasticsearch clusters»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should companies have Bitcoins on hand in preparation for a Ransomware attack?