WhatsApp messages are vulnerable to interception WhatsApp messages are vulnerable to interception

It seems that Facebook has a bit of a problem. When gathering its huge user base, WhatsApp announced that it offers private and secure communications between the users and when it finally implemented an end-to-end encryption system, the service stated that neither its employees nor the authorities can see the content of your messages. Unfortunately for the many activists, diplomats and journalists who use the app regularly, it seems that it was actually a lie.

A while back, security experts have discovered that there's a vulnerability in WhatsApp's code which allows the company and other third-parties to intercept the messages that are being sent between users. At the time, Facebook replied that it's aware of the issue, but that since the messages are encrypted, it's not a real security problem. However, that has been proven to be a lie. Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley has recently discovered that the social network can actually see the content of your messages due to a loophole in the way it implemented the end-to-end encryption.

First off, let me try to make things a little bit clearer for the readers who aren't that tech-savvy. In order to ensure that the messages you exchange on WhatsApp can't be read by other people, the service uses an end-to-end encryption system called Signal (which is correctly used by other applications including the one with the same name). This security measure scrambles the message you write generating unique security keys so that your text can only be unscrambled on the intended recipient's device.

Unfortunately, WhatsApp created a loophole when implementing this system. In simple terms, the service can force the system to generate new keys for offline users, basically re-encrypting and re-sending the messages. When the keys are being switched, the Facebook-owned company has full access to your messages, being able to see their content. What's even worse is that the recipients are never notified that the encryption keys have been switched while the senders will only find out about it if they have previously enabled the encryption warnings in the app's settings and after it was already done.

This means that whenever you're offline, WhatsApp can continuously flip the keys and resend your messages, being able to read them. When you're working with confidential information the fact that Facebook employees can see them is quite bad. Furthermore, governments and law-enforcement agencies can force the service to give them access to your chats and it's not just a single message; this vulnerability allows third-parties to  intercept entire conversations.

When asked about this subject by the media, Facebook stated that it protects its users and would fight any government that requests users data, but keeping in mind that the IT giant has created a censorship tool for China, I'm going to hold on to my right to be skeptical about this comment.

Referenced Android applications

Comments