WhatsApp security flaw allows spying on encrypted messages

by Gabriel E. Hall - - 2017-01-18

Latest news about security hole found in popular messaging application WhatsApp shocked users and the entire community. The application was known as one of the safest platforms because of unique end-to-end encryption technique that allows only sender and receiver to read conversations. However, Tobias Boalter, a security researcher from University of California, Berkeley, has found the major flaw^[1] that wrecked a theory about safe and confidential messaging. He spotted a backdoor in end-to-end encryption that allows owners of the company, governmental institutions or even hackers to encrypt messages and get access to users’ conversations.

WhatsApp’s end-to-end encryption^[2] is based on unique security keys that prevent unverified parties from having access to the conversation they are not supposed to read. Users have to trade and verify security keys; therefore, they are the only ones who can exchange and read messages. Many people found this feature appealing because no one else, even Facebook who owns the company, cannot spy on them. However, Boalter discovered that when users and their devices are offline, WhatsApp can force security keys to re-send the message without users’ knowledge. Surprisingly, the sender is informed about this activity only if he or she have opted-in encryption warning settings. It’s unknown whether it is a bug or a serious vulnerability; however, the first discussions about possible flaws in end-to-end encryption started in spring 2016^[3].

When media outlets revealed^[4] about the security flaw in WhatsApp, Facebook claimed that no one could intercept messages. However, various specialists have concerns about it and believe that it might be a serious threat to the freedom of speech. This vulnerability might give governments backdoor to spy on citizens who doesn’t suspect anything bad. Some security specialists recommend looking for another free and secure messaging applications and remind about previous concerns about possible WhatsApp’s security issues. Several affairs have been pointed out since Facebook took over the company in 2014^[5]. The ones, who decide to stick to using this messaging platform, are encouraged to set up encryption warnings that notify about changed security code: go to Settings -> Account -> Security -> Turn on Show security notifications.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Tobias Boelter. WhatsApp vulnerability: Bug or Backdoor?. Tobias Boelter's Blog.
^ End-to-End Encryption. WhatsApp. Frequently Asked Questions.
^ Rolf Weber. How service providers of messengers with end-to-end encryption could be compelled to decrypt messages. Rolf Weber's post on Google Plus.
^ Manisha Ganguly. WhatsApp vulnerability allows snooping on encrypted messages. The Guardian. News Website.
^ Cara McGoogan . WhatsApp messages could be read by exploiting security backdoor. The Telegraph. News Website.