According to Tobias Boelter, a security researcher at the University of California, a security flaw in WhatsApp’s encryption allows private messages to be read by Facebook and government agencies. He discovered a backdoor in WhatsApp’s method of end-to-end encryption, which was introduced by the company last year to ensure that no one, including the company, can read a user’s messages (via The Telegraph).
It means the company could intercept messages sent to phones that aren’t connected to the internet and forward them on to a separate device without the sender or receiver knowing. The messages could still be sent to the intended device, leaving users that don’t have security notifications switched on completely unaware.
“If WhatsApp was asked by a government agency to disclose its messaging records it can effectively grant access due to the change in keys,” Boelter said. “The vulnerability, which is unique to WhatsApp rather than the Signal security protocol it uses, can also be used to retrieve entire message transcripts.”
For those who don’t know, end-to-end encryption is a way of transmitting a message so that it can only be read by the intended recipient, not intercepted by accessing the servers or the networks via which the message is sent. Rather than being sent as plain text, the message is scrambled as a coded series of digits that needs a key held only by the sender and the recipient.
Analysts believe this security flaw is particularly worrying for activists, journalists and regular citizens living in oppressive countries. “The potential for government abuses from this misuse of encryption with WhatsApp is alarming,” said Kevin Bocek, chief cyber security strategist at Venafi. “This is a serious vulnerability.”
Boelter had made Facebook aware of the flaw last Spring, but the company said it was “expected behaviour” and has not yet attempted to fix it.