When Facebook took over Whatsapp, they claimed that no one can access your Whatsapp messages, not even them. They promised privacy, and end-to-end encryption to ensure optimum privacy for its billion plus users.
More users flocked in, everybody embraced Whatsapp as it appeared to be one of the safest platforms to pass your message across to your friends without another person snooping around.
But recently, some privacy activists raised the alarm about WhatsApp vulnerability. They stated that the WhatsApp loop could be to allow Facebook and the Government snoop around on your Whatsapp messages. This vulnerability enabled Facebook intercept and read through the same Whatsapp message, and there are fears that Facebook might be dishing access to those messages to the Government upon request. That is so bad for a company that promised its users privacy using a strict end to end encryption protocol.
How The Whatsapp Vulnerability Works
Whatsapp’s end to end encryption uses a pattern that implies the creation of new unique security keys using the acclaimed signal protocol developed by a group called open whisper system. They are traded and verified. This pattern guarantees that communication between users are secure and cannot be intercepted by a middle man.
Whatsapp works in a way that it automatically resends an undelivered message. So, if a user is offline, WhatsApp can simulate the creation of new encryption keys for offline users without the knowledge of the message sender or the receiver. This will make the sender re-encrypt messages with the new security keys created and send them again for any message that has not been marked as delivered.
The message receiver is not aware of this change in encryption while the sender will only know if they have opted into encryption warning inside their WhatsApp settings and when this re-encryption has being done, and message resent, then WhatsApp can now be able to intercept and read user’s message.
This security loophole and was discovered by a man called Tobias Boelter, he is a cryptographer and security researcher at the University of California, Berkeley.
Boetler found about this loophole since April 2016 and reported it to Facebook. Facebook replied that they were aware of the issue, that it was “expected behavior” and wasn’t being actively worked on. Facebook didn’t pay attention to resolve the loophole as any company should have done, and now, it has being confirmed that the vulnerability still exists.
Facebook denies the claim that they might be sharing or giving the Government access to users messages if required, stating that the claim is false and Facebook will be the last company to do so.
But for the said vulnerability, Facebook also stated that the system Tobias discovered was intentionally left like that because it helps Facebook prevent millions of message being lost and WhatsApp offers people security notifications to alert them whenever a potential security risk surfaces.
Another Cryptographer has described Boelter’s findings as normal and that it is nothing new. He said, “if you don’t verify keys, the authenticity of keys Is not guaranteed.
Other Security experts suggested that this is no new thing in the security industry, and it shouldn’t be seen as a back door.
While very few others, like Kevin Bocek from Venafi security firm believes this is a serious security vulnerability and it is alarming.
To assure you that there is no need to panic and you shouldn’t drag Facebook to the mud and stone it to death just yet. Here is a piece from the same open whisper system that developed the encryption protocol Whatsapp is using. The guys there made it clear in a blog post, “There is no WhatsApp back door,” so that you don’t go freaking out after reading stuff online.
Seriously, who are you going to believe? Is it the independent cryptographer and the security experts that believes him, or is it the Facebook and the open whispers system?
Well, it is all your choice to make.