A security issue has been flagged in the hugely popular mobile messaging app WhatsApp that could allow for messages sent via the encrypted platform to be intercepted and read.
The Guardian report, which describes the vulnerability as a “backdoor”, notes that independent security researcher Tobias Boelter identified the issue in April 2016, when he says he reported it to Facebook, only to be told it was “expected behavior”, and that the company was not actively working on fixing it. The newspaper says it has verified the vulnerability still exists.
Despite being a mainstream messaging app, WhatsApp has gained praise from security experts for implementing the respected end-to-end encryption Signal Protocol across its platform — completing its roll out of end-to-end encryption in April last year. Yet the company’s code remains closed source, which means users have always been required to trust its claims with no ability for external audits of its code (although it’s also worth noting that WhatsApp did work with Open Whisper Systems (OWS), the organization behind the Signal Protocol, to implement the e2e crypto across the platform).
The security issue identified by Boelter , and reported on by the Guardian now following him giving a talk about it at the end of last month, concerns an aspect of WhatsApp’s Signal implementation that allows it to force the generation of new encryption keys for offline users. This is described as a “retransmission vulnerability” by Boelter, and claimed as a route for messages to be intercepted and read — and thus as a potential backdoor in WhatsApp’s end-to-end encryption.
However WhatsApp denies the backdoor characterization, saying it’s a design decision relating to message delivery, with new keys being generated for offline users in order to ensure messages don’t get lost in transit.
“The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. This claim is false,” said a company spokesperson in a statement sent to TechCrunch.
“WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report,” it added.
WhatsApp/Facebook details its responses to government requests for user data here .
Multiple security commentators have also pointed out that the vulnerability being flagged here is nothing new — but rather a rehashing of the long-standing issue of how key verification is implemented within an encrypted system.
In an earlier statement WhatsApp pointed out that its implementation of the Signal protocol includes an optional “Show Security Notifications” setting that will notify a user when a contact’s security code has changed — thereby allowing users to opt in to be notified when/if a key has been changed (and thus when/if there’s a risk of their messages being man-in-the-middle intercepted).
