WhatsApp may not be as secure as thought after a security issue in the messaging app has been identified that enables messages sent via encryption to be read.
According to a report by The Guardian, while Facebook says WhatsApp messages can’t be intercepted, including by Facebook and its employees, the research claims Facebook could read the encrypted messages because of the way the encryption was implemented. The security issue was identified by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter said in the report.
WhatsApp encryption is supposed to be top-notch because it relies on generating unique security keys using the Signal protocol. That is supposed to guarantee the communications are secure and can’t be intercepted. But according to the report, the app can also force the creation of new encryption keys for users who are offline without the sender and recipient of the messages knowing. The sender would be forced to re-encrypt messages with new keys if they have not been marked as delivered. The recipient has no idea all this went down behind the scenes, while the sender won’t know what happened unless he or she opted in to receive encryption warnings.
“This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages,” the report said. The report noted the security issue isn’t in the Signal protocol.
Steffen Tor Jensen, head of information security and digital countersurveillance at the European-Bahraini Organisation for Human Rights, verified Boelter’s findings, saying in the report: “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change [until] after it has been made, providing an extremely insecure platform.”