WhatsApp encryption vulnerability allows messages to be intercepted

WhatsApp encryption vulnerability allows messages to be intercepted

WhatsApp tackles online fraud with new 'suspicious link detection' feature

A WhatsApp encryption vulnerability may enable messages sent using the service to be intercepted, a security expert has revealed.

Tobias Boelter, a researcher at the University of California, found an issue that allows the way data is encrypted to be changed without users’ consent, according to The Guardian.

He said WhatsApp can force the generation of new encryption keys for offline users, meaning the sender must re-encrypt undelivered messages with new keys and send them again.

The sender is only notified that this has happened after the messages are resent if they have encryption warnings turned on, and the recipient is not notified.

This means that if the recipient is offline when a message is sent, an attacker who can register the receiving number with the WhatsApp server can read the resent, re-encrypted message.

“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter told The Guardian.

He said he told Facebook about the issue in April 2016, but was told that it is not currently being worked on because it was “expected behaviour” for the app.

“The potential for governmental abuses from this misuse of encryption with WhatsApp is alarming,” said Kevin Bocek, chief cyber security strategist at security firm Venafi.

“This is a serious vulnerability – WhatsApp needs to know how keys are protected in order to keep the global communications of over a billion users safe and private.

“This potential gap in security is a reminder for businesses of the power of cryptographic keys and how a lack of knowledge regarding their use can have serious consequences. Systems need to be in place to protect and change keys quickly, as and when needed.

“This is critical at a time when governments worldwide are attempting to break down and intrude on the use of encryption to protect privacy – what has become a basic right for both people and machines worldwide.”

A WhatsApp spokesperson said the change of keys most commonly happens when a user gets a new phone or reinstalls the WhatsApp messaging app.

“This is because in many parts of the world, people frequently change devices and SIM cards,” it told The Guardian. “In these situations, we want to make sure people’s messages are delivered, not lost in transit.”

Users can turn on WhatsApp security notifications in Settings > Account > Security.

For more on the vulnerability, see Boelter’s blog post from April 2016.


Photo © Jan Persiel (CC BY-SA 2.0). Cropped.

Copyright Lyonsdown Limited 2021

Top Articles

Carnival Cruises hit by fourth data breach in 18 months

Carnival Cruises, one of the world’s largest cruise ship operators, has confirmed that it suffered another data breach in mid-March.

NHS Test & Trace Consolidates Cyber Security

NHS Test and Trace has teamed up with cybersecurity company Risk Ledger to proactively manage its supply chain cybersecurity risks.

The expert view: Accelerating the journey to the cloud

At a virtual seminar on 9 June 2021, sponsored by managed IT service provider Sungard Availability Services, eight senior IT decision makers gathered to discuss how organisations can accelerate their…

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]