In April of last year, WhatsApp finally enabled complete end-to-end encryption for both chats and video calls to ensure that no one but the intended recipient can decipher contents of their communications. However, as reported by The Guardian, right around the same time a cryptography and security researcher notified the developer, and Facebook, that a security bug made it possible for messages to be read not only by would-be attackers, but also by Facebook.
The researcher is Tobias Boelter, and he works out of the University of California-Berkley. In his research, he discovered that WhatsApp creates new encryption keys for undelivered messages. Those could be either sent to a person that is offline, or a person that has changed their phone number. Either way, those messages can be intercepted, and, what’s more, WhatsApp actually has another version of that same message on its servers, because it’s creating a different version of that message.
According to Boelter, this means:
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
Perhaps what is most interesting, though, is that Boelter reached out to WhatsApp and Facebook, informing them of the security bug. In a response, Facebook told him that they are “not actively working on changing” anything. As a result, this is now being considered a legitimate backdoor in the software.
Speaking for WhatsApp, a spokesperson said:
“We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”
Privacy campaigners have criticized the development as a “huge threat to freedom of speech,” saying it could be exploited by government agencies. The existence of a backdoor within WhatsApp’s encryption is “a gold mine for security agencies” and “a huge betrayal of user trust,” said Kristie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy.
At any rate, Facebook should definitely come clean on whether or not WhatsApp’s end-to-end encryption has been compromised. And if so, the inevitable question arises: has Facebook been compelled by a third party to build a backdoor in WhatsApp?
Facebook declined comment, but we’ll update the article if and when they do.
Source: The Guardian