Secret WhatsApp backdoor allows snooping on encrypted messages

Ever since WhatsApp announced end-to-end encryption of chats, every WA user thinks that their private chats are safe from snooping but it is not so. There exists a secret security backdoor in WhatsApp encryption that can be used by Facebook and others to intercept and read all encrypted messages.

The top secret WhatsApp backdoor was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. Tobias told the Guardian that “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.” The cryptographer discovered the security backdoor in WhatsApp and said that Facebook and others could potentially intercept and read encrypted messages in the app.

Facebook has refuted Tobias claims and said that no one can intercept WhatsApp messages, not even its own staff. But the facts and the data provided by Tobias proves otherwise. WhatsApp uses end-to-end encryption that generates unique security keys using the Signal protocol, created by Open Whisper Systems. WhatsApp provides offline users with encryption keys and can make the sender re-encrypt messages with new keys and send undelivered messages again. The recipient isn’t notified about the change in encryption, while the sender is made aware only if they previously opted-in to encryption warnings under settings and only after the messages have been re-sent. This small backdoor in the re-encryption method gives anybody who has knowledge including Facebook and WhatsApp full access to user’s message.

The backdoor is limited to WhatsApp and does not effect Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message. However, in the case of WhatsApp, the undelivered message is sent with a new security key and thus give its staff access to them, Facebook or anybody with the knowledge.

Tobias had informed Facebook and WhatsApp about the secret backdoor way back in April 2016. Facebook had told the cryptographer that it was a known issue, describing it as “expected behavior”.