Researcher: WhatsApp has 'bug' that could be exploited

Researcher: WhatsApp has 'bug' that could be exploited

Screen grab of smartphone showing icons for Facebook and WhatsApp

WhatsApp has a security bug that could allow encrypted messages to be intercepted from the popular messaging app that owner Facebook has said promises end-to-end encryption, security and privacy advocates say.

WhatsApp, acquired by Facebook in 2014, said last year that all communications such as text messages, videos and other files flowing the service would be encrypted. The app has become hugely popular, with more than 1 billion users.

About the time that WhatsApp announced its end-to-end encryption, cryptography and security researcher Tobias Boelter at the University of California-Berkeley contacted WhatsApp about a flaw he had found in the app. He found that undelivered messages -- perhaps because the receiver of the message was offline or had changed their phone number -- could be intercepted either by an attacker or WhatsApp itself, he says.

Thats because WhatsApp makes new encryption keys for undelivered messages and those could be intercepted by a third party that is not WhatsApp. WhatsApp itself, since it is generating another version of the message, has it on its servers, too.

In an interview with The Guardian, Boelter said, “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

Boelter also did a presentation on the WhatsApp vulnerability earlier this year -- a video is posted on Twitter -- and wrote about the situation on his blog in May saying that "next time the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI."

He contacted Facebook and WhatsApp about the vulnerability in April 2016 and, in May, Facebook told him the company is not "actively working on changing" it.

In a statement to USA TODAY, WhatsApp said: "The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a 'backdoor' allowing governments to force WhatsApp to decrypt message streams. This claim is false."

The app maker "does not give governments a 'backdoor' into its systems and would fight any government request to create a backdoor," the statement continues. "The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report."

Still, the potential for government abuse "from this misuse of encryption with WhatsApp is alarming,” said Kevin Bocek, vice president of security strategy at Venafi, a company that secures cryptographic keys.

Companies need to have systems in place to protect and change keys quickly. “This is critical at a time when governments worldwide are attempting to break down and intrude on the use of encryption, to protect privacy – what has become a basic right for both people and machines worldwide,” he said.

WhatsApp has breached consumers' trust "as well as potentially the communications privacy of all of their users, depending on how widespread the practice of flipping encryption keys is," said Kirstie Ball, a professor at the Centre for Research into Information Surveillance and Privacy at the University of St. Andrews (Scotland). "This concerns users because it means that they have no guaranteed communications privacy on WhatsApp, so it is potentially a breach of their fundamental human rights."

Privacy advocates had been concerned with WhatsApp on another issue, too. In August 2016, WhatsApp said it would begin sharing data with Facebook, as a way to better serve users and fight spam. But the requirement that users opt-out of the feature led privacy groups including Electronic Privacy Information Center to file complaints with the Federal Trade Commission.

EPIC called the move an "unfair and deceptive trade practice." And European Union Commissioner Margrethe Vestager said Facebook "gave us incorrect or misleading information during the investigation into its acquisition of WhatsApp."

Add Comment

all comments

  Other news

Sunstroke suspected over baby death in car

Sunstroke suspected over baby death in car..

26-May, 08:24

A post-mortem examination is expected to take place on Friday after the...

Should you enroll in Medicare? For most, answer is yes

Should you enroll in Medicare? For most, answer is yes..

26-May, 08:56

Don't be late! When should you sign up for Medicare? There isn't exactly...

Chipotle identifies malware used in credit card hack

Chipotle identifies malware used in credit card hack..

26-May, 20:24

Chipotle released further information about a data breach on Friday....

Just Cool Cars: '61 VW Westfalia camper is a marvel

Just Cool Cars: '61 VW Westfalia camper is a marvel..

27-May, 04:50

John Tanner, of Valenica, Calif., with his 1961 Volkswagon Westfalia...

The Latest: Germany backs Tusk re-election to EU top job

The Latest: Germany backs Tusk re-election to EU top job..

09-Mar, 05:38

The Latest on the European Union summit taking place Thursday and Friday...

Professor behind designated drivers takes on distracted ones

Professor behind designated drivers takes on distracted ones..

05-Apr, 17:40

A Harvard University professor who introduced Americans to the concept of...

Portuguese Teens Who Left Names on Auschwitz Gate Sentenced

Portuguese Teens Who Left Names on Auschwitz Gate Sentenced..

08-Feb, 15:24

Two Portuguese teenagers who wrote their names on a gate of the former...

Teen Rapper Episode 1

Teen Rapper Episode 1..

11-Feb, 19:24

The following Teen Rapper Episode 1 English Sub has been released. Full...