How WhatsApp might not be so private after all

Your WhatsApp conversations are vulnerable to prying eyes despite Facebook’s encryption claims, according to research seen by The Guardian.

WhatsApp’s end-to-end encryption has a security vulnerability, says report.

“The potential for government abuses from this misuse of encryption with WhatsApp is alarming”, said Kevin Bocek, chief cyber security strategist at Venafi. For the uninitiated, Open Whisper System are the developers of the Signal protocol, which WhatsApp uses for its end-to-end encryptions. The key encrypts or decrypts the messages.

However, WhatsApp apparently can force new encryption keys to be generated for offline users without the prior knowledge of either the sender or receiver, and then have the sender re-encrypt messages with new keys re-send them.

However, a little-known setting on the Facebook-owned app could help to protect users’ privacy.

WhatsApp’s promise of end-to-end encryption, on which the company released a technical white paper previous year, is very important to many of its over one billion users.

A security issue could allow Facebook and other parties to intercept and read the messages you send via WhatsApp.

Security researcher Tobias Boelter was the first to make the vulnerability public, after notifying WhatsApp and giving them ample time to come up with a patch.

This type of attack would be hard for a common criminal to carry out, considering that WhatsApp servers are well-protected from hacking, but a government agency could theoretically force the company to do this.

In theory, WhatsApp could take advantage of this without the sender or the recipient finding out about the change.

A WhatsApp spokesperson said: “At WhatsApp, we’ve always believed that people’s conversations should be secure and private”. The vulnerability would allow Facebook to read messages sent through the supposedly-secure system, as well as making it possible for the company to comply with court orders to make messages available to government bodies. As an alternative, the app allows its users to verify in person the keys of their contacts after they’ve been exchanged over the internet.

So news that WhatsApp is designed with a loophole that could let the company access the message was damning.

Boelter reported the problem to Facebook in April of 2016 – the very same month end-to-end encryption was added to the app. Worryingly, staff at The Guardian have confirmed that the issue still exists today. It’s important to note that the only data affected would be what’s stored locally on the device and hasn’t yet been “delivered”, but that doesn’t prevent an automated process from changing the keys before each and every message sent. They’ll further be notified of the change without the message automatically being pushed forward. This change happens often enough, when users switch to a different device or SIM card. To set up encryption warnings go to Settings – Account – Security – Turn on Show security notifications.