New research has claimed that the way in which popular messaging platform WhatsApp has implemented its end-to-end encryption protocol leaves it vulnerable to outsider attacks.
WhatsApp, a messaging platform that caters to over a billion users is owned by Facebook. The social media giant claims that the encryption used in WhatsApp means that nobody, not even Facebook’s staff, can intercept messages on the platform. However, privacy campaigners have pointed to a new vulnerability in the core protocol as a “huge threat to freedom of speech”, warning that it could be exploited as a backdoor by governments looking to snoop in on users.
A report in the Guardian reveals that WhatsApp’s end-to-end encryption infrastructure relies on unique security keys, similar to the likes of those used by the much-heralded Signal protocol, developed by Open Whisper Systems. These unique keys are traded between users and communication can only begin after the process of being secured following verification of said keys.
The flaw with WhatsApp, research claims, is its ability to force the generation of new encryption keys for offline users. This occurs without the knowledge of the sender and recipient of the messages and works by getting the sender to re-encrypt the messages with new keys before they are sent again. This method, in particular, is for any messages that have not been marked as delivered.
Here, the recipient is unaware of this fleeting change in encryption and the sender is only notified of it if they have enabled encryption warnings among the app’s settings. Just as importantly, they are only alerted after the messages have already been re-sent.
In essence, the researcher who discovered the flaw, claims that the re-encryption and resending of the message fundamentally allows WhatsApp to intercept and gain access to users’ messages.
Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, discovered the flaw and stated to the publication.
If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.
Meanwhile, messaging app Signal which uses a similar protocol does not fall pretty to the same vulnerability. If a recipient is offline while changing a key, a sent message will not be delivered whilst the sender will be notified of the change in keys without an auto re-send of the message. This is in contrast to WhatsApp’s implementation that automatically resends an undelivered message with a new key. This is done without forewarning the user or giving them the means to prevent it.
Further, Boelter claims to have reported the vulnerability to Facebook in April 2016. He was told that while Facebook was aware of this concern, it was deemed as “expected behavior” and wasn’t being actively fixed by the social media giant.
LIFARS will have more coverage on this developing story.
Image credit: Pixabay.