There are more than one billion users on WhatsApp, who trade messages, photos, videos on the cross-platform instant messaging service. WhatsApp introduced end-to-end encryption in last April, which in simple terms means only the sender and the recipient can read the messages shared on the platform.
Little did we know about the loophole in the world’s largest messaging app until Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, revealed that WhatsApp messages aren’t entirely secure.
Facebook, which bought WhatsApp in 2014 for a whopping $19 billion, boasted that the messages shared on WhatsApp cannot be intercepted by anyone, including its own staff. It practically meant the messages were as secure as whispering something into a person’s ear.
According to Boelter’s research, the end-to-end encryption protocol implemented by WhatsApp can be altered without the knowledge of senders and the recipients. Privacy advocates have raised serious concerns over this capability as it can be used by the government agencies to snoop on users, The Guardian reported on Friday.
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter told the paper.
In the light of the latest evidence, which is backed by The Guardian as well, WhatsApp has the ability to re-encrypt and rebroadcast messages, which allows interception without the knowledge of the user.
The end-to-end encryption uses unique security keys from the Signal protocol, developed by Open Whisper Systems. But the change in WhatsApp’s encryption protocol is unique to the app and other apps using the same encryption method do not inherit it. Signal, for instance, which is recommended by whistleblower Edward Snowden, doesn’t have the same security backdoor.
“[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message,” he explained.
WhatsApp does not give users any control over the regeneration of keys. More so, it doesn’t notify or seek consent from the user before flipping the security keys, the report added.
In response to these claims, WhatsApp spokesperson did not give a straight answer but said, “In WhatsApp’s implementation of the Signal protocol, we have a “Show Security Notifications” setting (option under Settings > Account > Security) that notifies you when a contact’s security code has changed. We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”
Find the Original Article Here