Mumbai: The claims of complete security by WhatsApp for its one billion users has been exposed by Tobias Boelter, a cryptographer and security researcher at the University of California, Berkeley.
He told the Guardian newspaper over the weekend: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
Both WhatsApp and Facebook denied this saying “WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor.
“The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”
WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman.
However, Mr Boelter discovered that WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.
Explaining where the vulnerability lies Ankush Johar, director, BugsBounty.com said “if I change my phone and put a new WhatsApp, at 10.1am and at 10am you had sent me a message which I didn’t get, WhatsApp generates the ability to give a new encryption so I get the message and when they assign it, it means there is vulnerability.
“So this design or signal does not mean that there is no backdoor. This affects the community that wants privacy.” Mr Johar suggests that Whatsapp users should immediately turn ‘ON’ a setting and keep it on by default, so they know when the encryption key is changed.
This would alert them that a new key has been generated. To turn on this notification: Navigate to Settings in whatsapp -> choose account -> choose security -> enable the “Show security notifications” option.
