Privacy campaigners criticize WhatsApp vulnerability as a ‘huge threat to freedom of speech’ and warn it could be exploited by government agencies
We know that Facebook Inc is the company that owns WhatsApp messaging service. While Facebook claims that no one (not even the company and its staff) can intercept WhatsApp messages, research shows that a security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.
How your messages can be intercepted?
WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman.
However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.
The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.
The security loophole was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley.
“WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.”
Said by Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights
“The vulnerability is a huge threat to freedom of speech and warned it could be used by government agencies as a backdoor to snoop on users who believe their messages to be secure”
Said by privacy campaigners said.
WhatsApp’s response to this issue
WhatsApp later issued another statement saying: “WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor.”
In response to the Guardian’s original exclusive, Movie Marlinspike, a security expert and founder of Open Whisper Systems, said that newspaper’s report about WhatsApp having a backdoor is false. He said among other things: “The fact that WhatsApp handles key changes is not a ‘backdoor’; it is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.