Backdoor Found In WhatsApp End To End Security

It seems that those who rely on the fact that popular messaging app WhatsApp appears to have a backdoor that could allow Facebook (who owns WhatsApp) to read messages as well as making it possible for the company to comply with court orders to make messages available to government bodies. Here’s what The Guardian reports:

The security backdoor was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

The backdoor is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

WhatsApp’s implementation automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it.

Boelter reported the backdoor vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the backdoor still exists.

This news is sure to send Facebook into full damage control mode as Facebook really pushes the end to end encryption feature of WhatsApp and that they can’t read your messages. It will be interesting to see how they respond to this (which they haven’t as I type this), and how WhatsApp users respond to this.

Advertisements

One Response to “Backdoor Found In WhatsApp End To End Security”

  1. […] recall that I posted a story that detailed a story from The Guardian on what it called a “backdoor” in WhatsApp. Some security researchers have called out […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: