WhatsApp’s end-to-end encryption is not entirely safe, says report

Research carried out by the University of California and reported by The Guardian, claimed that WhatsApp’s parent company Facebook could read user messages via a “back door” in the system. This re-encryption and resending of the message lets WhatsApp intercept and read the messages of its users.

More worryingly still, when Boelter reported the issue to Facebook back in April of previous year, he was told that it was ‘expected behaviour.’ The Guardian has verified that the backdoor still exists today.

The back door through WhatsApp’s security could potentially be used by the United Kingdom government to legally force Facebook, the app’s owner, to give access to messages.

Boelter stressed that the feature is not inherent in the WhatsApp Signal protocol, adding that Facebook was warned of the backdoor undermining user privacy but responded stating this was expected and was not being addressed.

“High-risk users of WhatsApp, like people who are communicating very sensitive information, they should definitely be anxious”.

WhatsApp’s implementation of end-to-end encryption uses the widelyrespected Signal protocol.

Cryptographer Frederic Jacobs said anyone anxious about falling victim to the bug could adjust security settings on the app to warn them if encryption keys were being changed. It can then make the sender re-encrypt messages with the new keys and send them again if they weren’t marked as delivered. Here’s what you need to do to ensure you are told when the key changes.

Security expert Frederic Jacobs, who previously worked with Open Whisper Systems, tweeted: “It’s ridiculous that this is presented as a backdoor“. Both services make use of a concept called “trust on first use” that trusts a user’s encrypted key once it is exchanged between users as long as it doesn’t change.

In theory, that would allow WhatsApp – or any government agency with the appropriate court order – to snoop on supposedly secure messages.

Open Whisper Systems, a San Francisco-based company which developed the Signal Protocol used by the WhatsApp messenger, published a blog post on Friday entitled, “There is no WhatsApp ‘backdoor“. However, there is a feature in WhatsApp that notifies the user if the encryption key changed. Furthermore, Facebook has been claiming that no one can intercept WhatsApp messages and that includes the company and staff. You will now be alerted each time a security key changes. While the flaw in WhatsApp certainly has the appearance of being nefarious, there is nothing to suggest that users’ messages are actively being compromised.

“The Guardian’s story on an alleged “backdoor” in WhatsApp is false”.

Turn on this setting to receive notifications when a contact’s security code has changed.

“The proposition is that this condition: backed-up messages, combined with someone colluding with Facebook, WhatsApp to “fake” the “person has a new phone” condition, can lead to the backed-up messages being re-encrypted and sent to the new, fake or colluded phone”.