WhatsApp vulnerable to snooping: report

January 13, 2017
A report says that WhatsApp messages could be read without its billion-plus users knowing due to a security backdoor

The Facebook-owned mobile messaging service WhatsApp is vulnerable to interception, the Guardian newspaper reported on Friday, sparking concern over an app advertised as putting an emphasis on privacy.

The report said that WhatsApp messages could be read without its billion-plus knowing due to a backdoor in the way the company has implemented its end-to-end encryption protocol.

The system relies on unique security keys "that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman," the report said.

But WhatsApp can force the generation of new encryption keys for offline users "unbeknown to the sender and recipient of the messages," it said.

Tobias Boelter, a cryptography researcher at the University of California told the Guardian: "If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys."

Boelter said he had reported the backdoor vulnerability to Facebook in April 2016 and was told that Facebook was already aware of the issue but that it was not actively being worked on.

The company said in a statement that it provided a "simple, fast, reliable and secure" service.

It said there was a way of notifying users when a contact's security code had changed.

"We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp.... In these situations, we want to make sure people's messages are delivered, not lost in transit," it said in a statement.

But the Guardian said it had verified that the security backdoor still exists.

The paper quoted Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights, saying: "WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform".

Facebook bought WhatsApp in 2014 but it continues to operate as a separate app.

Explore further: WhatsApp is secure and OK for politicians to use, provided simple steps are followed

Related Stories

WhatsApp adds messaging from Web

January 21, 2015

The popular mobile messaging application WhatsApp, acquired by Facebook last year for nearly $22 billion, unveiled a new service Wednesday for sending messages from a Web browser.

WhatsApp service stumbles briefly

January 26, 2016

Facebook-owned smartphone messaging service WhatsApp temporarily crashed in an array of countries from the US to India, potentially affecting hundreds of millions of users.

WhatsApp is going to share your phone number with Facebook

August 25, 2016

Global messaging service WhatsApp says it will start sharing the phone numbers of its users with Facebook, its parent company. That means WhatsApp users could soon start seeing more targeted ads and Facebook friend suggestions ...

Recommended for you

Volumetric 3-D printing builds on need for speed

December 11, 2017

While additive manufacturing (AM), commonly known as 3-D printing, is enabling engineers and scientists to build parts in configurations and designs never before possible, the impact of the technology has been limited by ...

Tech titans ramp up tools to win over children

December 10, 2017

From smartphone messaging tailored for tikes to computers for classrooms, technology titans are weaving their way into childhoods to form lifelong bonds, raising hackles of advocacy groups.

2 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

gkam
1 / 5 (4) Jan 13, 2017
Trust nobody.

We have some decent spooks, but they are looking at us, and not the Russians, who watch all of it.
zapnzs
5 / 5 (1) Jan 13, 2017
This should come as a disappointment but not as a surprise.

It's not uncommon for supposedly "secure" communication methods to have certain means of bypassing security implementations. I don't think this is necessarily intentional malice, but rather a mindset of "we will incorporate this feature, which we will keep secret, so that the good guys can use it to stop the bad guys." Facebook's acknowledgement of the problem, without intent to patch, seems to reflect this, and the actions of some intelligence organizations have incentivized/pushed this on companies (for example, the NSA paying for an intentional compromise in RSA's Dual Elliptic Curve.) The problem is, as Tim Cook had to stress to both US Presidential candidates, is that there is no such thing as a security bypass that only the good guys can use, that the bad guys will not also be able to use. For someone living in a country ruled by a repressive regime, there's no way to prevent that regime from using the same exploit.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.