The Guardian recently reported a vulnerability in WhatsApp allowing attackers to bypass its encryption system and read your messages. The app uses the secure Signal Protocol to aid its message encryption process, but also has its own code that allows access to all messages without a user’s knowledge. That’s not supposed to happen.
This flaw was discovered by a cryptographer and security researcher at the University of California, Berkeley. The app’s code addition to the protocol allows it to force the generation of a new encryption key for offline users. Once the security keys are forced to update, all undelivered messages are re-encrypted and sent back with the new keys. The user has no knowledge of this process. Tobias Boelter reported his discovery to Facebook in April last year. Facebook claimed it was “expected behaviour” and not a bug.
Users can’t be hacked from the outside, though Facebook and WhatsApp have full view of all messages sent and received. The general thought is that this was a requirement by government regulators. A statement from the company tries to put its more than one billion user’s minds at ease:
“The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a ‘backdoor’ allowing governments to force WhatsApp to decrypt message streams.This claim is false.
WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.”