Latest Buzz!

WhatsApp Security Vulnerability Lets the Company Read Your Messages

January 13th, 2017 by

If you’ve been proud of the lengths that Facebook and WhatsApp go to protect your private messages, you might want to think again. Back in August of 2015, WhatsApp announced a change of its privacy policy stating that it will merge its users’ data with the data in its parent company, Facebook. After both networks received constant backlashes and controversies from social media enthusiasts, Facebook assured the world that no one can read private WhatsApp messages, including Facebook. Until now. New reports reveal that WhatsApp’s end-to-end encryption works in such a way that Facebook can, in fact, read WhatsApp messages.

WhatsApp security

How WhatsApp’s end-to-end encryption works.

The encryption relies on a set of security keys that are generated using Signal, a protocol developed by Open Whisper Systems. These security keys are exchanged between WhatsApp users and verified so that the messages they send and receive remain private.

The hole in the system.

Though it seems fool-proof, WhatsApp has the power to forcibly generate new security keys for offline users. When a message is sent, yet remains undelivered, WhatsApp can make the sender re-encrypt the messages with new security keys. The company can then send the messages again, unknown to both the sender and receiver. The sender will get a notification of the change in encryption only if they’ve opted in for alerts in encryption warnings. That too, only after the message is sent for the second time. So in sum, even if the sender gets a notification, they can do nothing about it. And that’s how WhatsApp can intercept users’ messages.

Found by a researcher.

“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

Tobias Boelter told the Guardian. Boelter, who discovered this security backdoor, is a researcher and cryptographer at the University of California.

Safe Signal.

Signal, the same messaging app that WhatsApp uses, doesn’t have the same issue. When the same case occurs in Signal, the sent message won’t be delivered, and the sender will automatically get a notification. Whereas WhatsApp automatically resends the message without warning the sender.

Facebook was aware.

When Boelter reported the vulnerability to Facebook back in April 2016, the company had said dismissed it as normal behavior. The company wasn’t actively working to fix the issue and according to the Guardian, the security backdoor is still live.


Latest Tweets