A security flaw in an app used by a billion people should remind us all to keep tabs on our privacy.
The relationship between Facebook and WhatsApp has been … complicated. In December, the social media giant was accused of misleading European regulators in advance of its $22 billion acquisition of the messaging app, while WhatsApp users were displeased to find that their information was being shared with Facebook.
That relationship grew more complicated after a report from the Guardian last week, which said that “a security backdoor that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.” But was that report accurate? A group of security reachers have just penned an open letter asking the Guardian to retract its story, calling it “the equivalent of putting ‘VACCINES KILL PEOPLE’ in a blaring headline over a poorly contextualized piece.”
The crux of the debate: WhatsApp told users last April that it had implemented end-to-end encryption for all messages sent through its platform, but the Guardian’s report suggested that the app neglected to mention a caveat — Facebook can intercept your messages. And if Facebook can do it, then so too can a government agency.
The alleged backdoor was brought to light by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” he told the Guardian.
The supposed backdoor, the Guardian explained, had to do with WhatsApp’s encryption, which depends upon a generated set of unique security keys, using the Signal protocol. These keys are traded and verified between users to ensure that their messages are protected.
However, WhatsApp apparently could generate new encryption keys for offline users without the prior knowledge of either the sender or receiver, and then have the sender re-encrypt messages with new keys to resend them. This process would essentially let WhatsApp intercept and read messages.
Boelter’s findings were further verified by Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights. He noted, “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.”