WhatsApp Vulnerability Enables Interception of Encrypted Messages
A vulnerability in how Facebook-owned WhatsApp handles encrypted messages could allow someone besides the intended recipient to intercept and read a sender's private messages, according to a cryptography researcher at the University of California-Berkeley.
Tobias Boelter, a PhD candidate, first reported the vulnerability to Facebook in April. A month later, he noted that Facebook said it was aware of the issue but was not actively working to make changes. A report in today's Guardian newspaper said that vulnerability still exists.
Since the Guardian article was published, several security researchers have acknowledged that they are concerned about the WhatsApp flaw, but criticized the newspaper for calling it a "backdoor."
A backdoor is generally considered to be an intentionally introduced vulnerability that lets someone other than the intended user control a program, device or network. A WhatsApp spokesperson told us today that the description of the vulnerability as a backdoor is "false."
'Not a Backdoor'
In a post on his blog on April 16, Boelter described how the WhatsApp vulnerability works: when an encrypted message is sent but not delivered, a third party can intervene and get the WhatsApp server to re-encrypt the original message using a new encryption key, enabling the third party to receive the original message.
Nadim Kobeissi, a PhD candidate at France's Inria Prosecco lab, said on Twitter this morning that he has verified that vulnerability. "I've been producing this result since October 2015," Kobeissi said. "Not a 'backdoor' but equally intolerable."
Matthew Green, a cryptographer and professor at Johns Hopkins University, echoed those comments in several tweets of his own. "I wish we could put the word 'backdoor' in a glass case and only bring it out when something is really deserving," Green said. In another comment, he added, "It is totally stupid. I wish WhatsApp didn't have this issue and would fix it. It is not a 'backdoor.'"
Feature 'Prevents Messages from Being Lost'
Acquired by Facebook in 2014, the instant messaging service WhatsApp reported last year that it had passed the 1 billion-user mark. WhatsApp rolled out end-to-end encryption for its service in late 2014 through a partnership with Open Whisper Systems.
To ensure full security of encrypted messaging, however, users should verify their identities through the "security notifications" option, which ensures that each user will see an alert if a message is re-encrypted with a new security key, according to WhatsApp.
"The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a 'backdoor' allowing governments to force WhatsApp to decrypt message streams," the WhatsApp spokesperson told us. "This claim is false."
The spokesperson added, "WhatsApp does not give governments a 'backdoor' into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks."
Posted: 2017-01-14 @ 2:29am PT
WhatsApp was always an untrusted app for me. It is such a shame. I think you'd better not use WhatsApp anymore.