A security backdoor that can allow Mark Zuckerberg's staff to intercept and read encrypted WhatsApp messages has been revealed by a U.S. researcher, according to a new report.
Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, told The Guardian that due to the way WhatsApp has implemented its end-to-end encryption protocol, Facebook can intercept and read users’ messages.
The article explains that WhatsApp’s encryption relies on the "generation of unique security keys," which are traded and verified between users to ensure that communications are secure and cannot be intercepted.
But Facebook (fb) , which owns WhatsApp, has the ability to resend undelivered messages with a new security key, effectively allowing the company to access the 'encrypted' messages without the sender or recipient being aware or able to prevent it from happening. (The sender is alerted after the fact if they have opted in to encryption warnings.)
"If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys," Boelter, who reported the security vulnerability to Facebook in 2016, told The Guardian.
This revelation has concerned privacy campaigners, including Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, who told the paper that the vulnerability was "a huge threat" to freedom of speech. "If you're using WhatsApp to avoid government surveillance, stop now," warned one Twitter user.
In April 2016, Open Whisper Systems, the privacy-focused nonprofit software group, revealed in a blog post that it had completed work to integrate its encryption technology into WhatsApp. All chats, group chats, attachments, voice notes, and voice calls on Android, iPhone, windows Phone, Nokia S40, Nokia S60, Blackberry, and BB10 devices were said to be protected with strong encryption when users ran the latest version of the app.
The app also announced plans to make it clear whether a message is encrypted or not; for instance, members of a WhatsApp group would be notified about which messages were encrypted and which weren't.