WhatsApp’s Security Flaw Deadly Serious: What You Need To Know

An ongoing security flaw in popular messaging app WhatsApp could allow your conversations to become intercepted by Facebook or anyone else with access, including the government. The Guardian published an expose on January 13, 2017, highlighting how the security flaw works, and within days, virtually everyone had something to say about the security hole.

The security flaw is this: Essentially, when two users, call them User A and User B, exchange messages, encryption keys encrypt the message at the sending point and decrypt it at the receiving point. This is called end-to-end encryption. This system used the Signal protocol to guarantee security, and it works as intended.

Is WhatsApp really as secure as Facebook promises

The problem is that WhatsApp can force new encryption keys to be made for users without their knowledge or consent. This means that any unsent messages are now sent using this new keyset. Additionally, only the sender is notified that the keys have been changed and only if they’ve opted into it in the app’s options. Additionally, the notification comes only after the messages have been re-sent.

That means that Facebook, and any law enforcement or government agencies that Facebook is cooperating with, has a way to read your messages on the server without your knowledge.

Community Responses

Slashdot published a scathing excerpt from William Turton, a writer at Gizmodo, who said the following regarding the allegations of a “backdoor.”

“If true, this would have massive implications for the security and privacy of WhatsApp’s one-billion-plus users. Fortunately, there’s no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian‘s story is ‘major league f**kwittage.'”

Turton goes on to write that a backdoor would imply that someone had cracked the Signal protocol WhatsApp uses to protect messages to and from users. But that’s not correct at all because the flaw doesn’t lie within the Signal protocol itself. The security flaw lies in how WhatsApp implements it. Essentially, the locks and keys are good, but WhatsApp has put shady characters in charge of them and doesn’t tell you that the keys and locks have changed until after you’ve already used them.

According to Muffett, this security hole is actually a “feature,” one that is working as intended. He goes on to say that it is also ignorable. Muffett, who was an engineer on Facebook’s security infrastructure team, goes on to say this.

“Say that I am sending to you, and your phone is offline because your [battery] is flat, or you have no coverage, or something. Some messages ‘back up’ on my phone, waiting to talk to yours. The proposition is that this condition: backed up messages, combined with someone colluding with Facebook, WhatsApp to ‘fake’ the ‘person has a new phone’ condition, can lead to the backed-up messages being re-encrypted and sent to the new, fake or colluded phone.”

WhatsApp vulnerability could allow Facebook to read messages

Essentially, Muffett is confirming the vulnerability here but is trying to diminish the possibility of it ever being used. But in a supposedly secure messaging system like WhatsApp that uses this security as a leverage and advertising point, the existence of this backdoor is troubling.

Facebook’s Response

Even more troubling is that Facebook has known about this security flaw since April of 2016, when Tobias Boelter, a cryptography and security researcher at the University of California, notified them of the flaw. Like Muffett, Facebook extolls this vulnerability as a feature. And given Facebook’s reputation when it comes to user data, it’s one that they won’t be fixing anytime soon.

Keep in mind, however, that this “feature” could be used to intercept and read your entire WhatsApp conversation. While security isn’t a major concern for most, more activists have been using WhatsApp because of its security.

Do you use WhatsApp? Will you keep using it despite the backdoor and security vulnerabilities? Let us know in the comments below.

[Featured Image by Jakraphong Photography/Shutterstock]