WhatsApp security flaw? Researcher claims bug allows snooping on encrypted messages, but tech firm denies it’s a ‘backdoor’

Facebook-owned WhatsApp encrypts messages that its 1 billion users send to one another, but a UC Berkeley cryptography and security researcher claims the app has a bug that can be exploited to read these messages.

The researcher, Tobias Boelter, pointed out the vulnerability in his blog last April and The Guardian verified it still exists. Privacy advocates, the media outlet said, warned it could be used by government agencies as a “backdoor” to read the encrypted messages of WhatsApp users. The company on Friday denied this claim.

When a person sends out a WhatsApp message it’s encrypted with a security key. But if the recipient doesn’t get the message because he or she is offline, an attacker can intercept the undelivered messages by re-encrypting them with a new security key, Boelter explained in his blog.

A WhatsApp user is only aware that the key was changed if they chose to get security notifications by enabling the alerts under the app’s settings.

“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter told The Guardian.

But WhatsApp denies this is true.

“The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. This claim is false,” the company said in a statement to SiliconBeat. “WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor.”

Encryption, privacy and security have become a growing concern in Silicon Valley. In February, a federal magistrate judge in Los Angeles ordered Apple to help the FBI unlock an iPhone used by one of the shooters in the San Bernardino terror attack that killed 14 people and injured 22. Apple publicly opposed the order and then the FBI said that it successfully cracked into the phone without the help of the tech firm.

On Friday, WhatsApp noted users have the option to receive security notifications, but “the design decision” referenced in the Guardian story prevents millions of messages from being lost.

“We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and SIM cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”

Other security researchers also disagreed it was a “backdoor.”

On Friday, Boelter weighed in on whether the security vulnerability he discovered was a bug, feature or a backdoor.

“It is a type of flaw that is not necessarily introduced by malice, just like many other critical vulnerabilities in important products that are reported daily,” he wrote. “But Facebook showed no interest in fixing the flaw since I reported it to them in April 2016. So maybe it was a bug first, but when discovered it got started being used as a backdoor?”

Photo Credit: Logo of WhatsApp, the popular messaging service bought by Facebook. STAN HONDA/AFP/Getty Images



Tags: ,


Share this Post