Privacy has become something of today and tomorrow, rather than the thing of yesterday or the past. WhatsApp is one of the most popular messaging app that is installed in many devices.
While it has implemented end-to-end encryption to all communication, it turns out that things aren't that secured.
Security researcher Tobias Boelter from the University of California, Berkeley has discovered a backdoor in WhatsApp that leaves private communication vulnerable to interceptions from third parties. And that includes the government authorities and even Facebook that owns it.
"If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys," said Boelter .
To secure communication, WhatsApp uses Signal's protocol developed by Open Whisper Systems to generate unique security keys for its end-to-end encryption. However, the messaging service has built additional implementation that allows it to force the generation of new encryption keys for offline users, leaving certain messages vulnerable to attacks.
So once WhatsApp forces an update to the security keys, all undelivered messages are then automatically re-encrypted and sent again with the new keys without the consent of the sender. This has the potential of others in intercepting the message.
This flaw is not Signal's. The app that is used and recommended by whistleblower Edward Snowden doesn't suffer from the same vulnerability. This is because on Signal, if a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.
But WhatsApp, when changing keys, proceeds to automatically resend undelivered messages without notifying the sender or the recipient. While WhatsApp does notify users when security code changes occur, users couldn't stop their undelivered messages from being sent unprotected.
This vulnerability doesn't put users directly at risk. Communications that should be encrypted, won't necessarily be in risk of being stolen by hackers. But instead, it leaves the opening for both Facebook and WhatsApp to read those messages in clear text.
Tobias Boelter first reported the vulnerability to Facebook on April 2016. But the company said that the issue was an "expected behavior" and not a bug. The company commented that it isn't a flaw, but a way to prevent messages from being lost in transit.
Facebook said that:
"In WhatsApp's implementation of the Signal protocol, we have a “Show Security Notifications” setting (option under Settings > Account > Security) that notifies you when a contact's security code has changed. We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit."
WhatsApp also has responded with its own defense, calling the "backdoor" as a "design decision."
"WhatsApp does not give governments a 'backdoor' into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report."
Boelter detailed the flaw in a post on his personal blog, and presented the flaw at an encryption conference in December 2016.
Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff. But the flaw here is not about its end-to-end encryption, but due to how WhatsApp has implemented the encryption protocol.
The news is a proof that no matter how well communications on the internet are protected, there are no method that can entirely protect unexpected breaches and interception.
And this is certainly a disappointment for privacy-concerned users after knowing WhatsApp has boasted its encryption methods as one of its main selling point, in which has made it a go to communications tool of activists, dissidents and diplomats.
Concerns over the privacy of WhatsApp users has been repeatedly highlighted since Facebook acquired the company for $19 billion in 2014. One occasion was in August 2015 when Facebook announced a change to the privacy policy governing WhatsApp that allowed the social network to merge data from WhatsApp users and Facebook, including phone numbers and app usage, for advertising and development purposes.
Further reading: End-To-End Encryption, And How It Highlights The Growing Focus On Data Privacy