Latest news about security hole found in popular messaging application WhatsApp shocked users and the entire community. The application was known as one of the safest platforms because of unique end-to-end encryption technique that allows only sender and receiver to read conversations. However, Tobias Boalter, a security researcher from University of California, Berkeley, has found the major flaw that wrecked a theory about safe and confidential messaging. He spotted a backdoor in end-to-end encryption that allows owners of the company, governmental institutions or even hackers to encrypt messages and get access to users’ conversations.
WhatsApp’s end-to-end encryption is based on unique security keys that prevent unverified parties from having access to the conversation they are not supposed to read. Users have to trade and verify security keys; therefore, they are the only ones who can exchange and read messages. Many people found this feature appealing because no one else, even Facebook who owns the company, cannot spy on them. However, Boalter discovered that when users and their devices are offline, WhatsApp can force security keys to re-send the message without users’ knowledge. Surprisingly, the sender is informed about this activity only if he or she have opted-in encryption warning settings. It’s unknown whether it is a bug or a serious vulnerability; however, the first discussions about possible flaws in end-to-end encryption started in spring 2016.
When media outlets revealed about the security flaw in WhatsApp, Facebook claimed that no one could intercept messages. However, various specialists have concerns about it and believe that it might be a serious threat to the freedom of speech. This vulnerability might give governments backdoor to spy on citizens who doesn’t suspect anything bad. Some security specialists recommend looking for another free and secure messaging applications and remind about previous concerns about possible WhatsApp’s security issues. Several affairs have been pointed out since Facebook took over the company in 2014. The ones, who decide to stick to using this messaging platform, are encouraged to set up encryption warnings that notify about changed security code: go to Settings -> Account -> Security -> Turn on Show security notifications.