WhatsApp could spy on its users, report suggests
Image credit: Reuters
The Facebook-owned messaging application WhatsApp could reportedly spy on its users or provide access to messages to third parties, according to a US cyber-security researcher. The firm behind the apps’s encryption system dismisses the allegations.
Univeristy of California cryptologist Tobias Boelter told the Guardian that messages sent via WhatsApp could be read by a middle man without the users’ knowing when the app changes security keys.
WhatsApp uses unique security keys that are exchanged and verified between users to confirm the communication is secure. WhatsApp, however, can change those keys for users that are offline. Messages sent during this period are vulnerable as the app doesn’t expect the user to verify the security key, but instead generates completely new encryption keys, re-encrypts the messages and sends them again.
According to the Guardian report “this re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.” Boelter believes WhatsApp could possibly use this vulnerability to provide the government with access to the communication.
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter told the Guardian.
Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights, commented: “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform."
Messaging app Signal, which uses the same encryption protocol, on the other hand, waits for the user to verify the key before delivering previously undeliverable messages.
WhatsApp later issued a statement saying that their way is more convenient for users.
“The design decision referenced in the Guardian story prevents millions of messages from being lost and WhatsApp offers people security notifications to alert them to potential security risks,” the firm said.
“WhatsApp published a technical white paper on its encryption design and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.”
Open Whisper Systems, which has developed the encryption protocol for WhatsApp also disagrees with the allegations.
In a blogpost on the company’s website, Moxie Marlinspike, one of the system’s developers, dismissed the claim saying that if WhatsApp wanted to spy on its users, it would most likely get caught by those users who actually do verify their keys. He also said the problem only affects a comparatively low number of messages.
”The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered,” Marlinspike said.
“Once the sending client displays a ‘double-check mark’, it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption.”