How WhatsApp’s end-to-end encryption works.
The encryption relies on a set of security keys that are generated using Signal, a protocol developed by Open Whisper Systems. These security keys are exchanged between WhatsApp users and verified so that the messages they send and receive remain private.
The hole in the system.
Though it seems fool-proof, WhatsApp has the power to forcibly generate new security keys for offline users. When a message is sent, yet remains undelivered, WhatsApp can make the sender re-encrypt the messages with new security keys. The company can then send the messages again, unknown to both the sender and receiver. The sender will get a notification of the change in encryption only if they’ve opted in for alerts in encryption warnings. That too, only after the message is sent for the second time. So in sum, even if the sender gets a notification, they can do nothing about it. And that’s how WhatsApp can intercept users’ messages.
Found by a researcher.
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
Tobias Boelter told the Guardian. Boelter, who discovered this security backdoor, is a researcher and cryptographer at the University of California.
Signal, the same messaging app that WhatsApp uses, doesn’t have the same issue. When the same case occurs in Signal, the sent message won’t be delivered, and the sender will automatically get a notification. Whereas WhatsApp automatically resends the message without warning the sender.
Facebook was aware.
When Boelter reported the vulnerability to Facebook back in April 2016, the company had said dismissed it as normal behavior. The company wasn’t actively working to fix the issue and according to the Guardian, the security backdoor is still live.