When Facebook’s WhatsApp turned on end-end-end encryption in its messaging service last year, it was a big deal. As all eyes were glued on Apple’s fight with the FBI over unlocking the San Bernardino shooter’s iPhone, WhatsApp took a huge step toward protecting its users’ privacy by moving to encrypt all messages and calls being sent between its apps.
But a new report suggests it might not be as secure as users think. According to The Guardian, a serious vulnerability in WhatApp’s encryption could allow Facebook to intercept and read messages unbeknownst to the recipient, and only aware of by the sender if they have previously opted in to receive encryption warnings. The security flaw, which was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, can “effectively grant access (to users’ messages)” by changing the security keys and resending messages.
“WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol … to guarantee communications are secure and cannot be intercepted by a middleman,” the paper wrote. “However, WhatsApp has the ability to force the generation of new encryption keys for offline users … and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.”
While there is no evidence to suggest WhatsApp has used the flaw to surreptitiously intercept messages, Boelter says he reported the vulnerability to Facebook back in April 2016 but was informed that it was “expected behavior.” According to The Guardian the security flaw, which still exists in the latest version of the service’s encryption, is exasperated by WhatsApp’s habit of automatically resending undelivered messages without authorization by the user.
According the Whatsapp its website, end-to-end encryption is always activated when using the service, and there is no way to turn it off. Additionally, each conversation has its own optional verification process that can be used to verify that calls and messages are end-to-end encrypted.
The impact on you at home: Hopefully, there is none. While the flaw in WhatsApp certainly has the appearance of being nefarious, there is nothing to suggest that users’ messages are actively being compromised. That being said, the possibility that messages can be intercepted should be enough for Facebook to respond and act on it, and we hope they do in a timely fashion.