WhatsApp encryption vulnerability allows messages to be intercepted

WhatsApp encryption vulnerability allows messages to be intercepted

WhatsApp tackles online fraud with new 'suspicious link detection' feature

A WhatsApp encryption vulnerability may enable messages sent using the service to be intercepted, a security expert has revealed.

Tobias Boelter, a researcher at the University of California, found an issue that allows the way data is encrypted to be changed without users' consent, according to The Guardian.

He said WhatsApp can force the generation of new encryption keys for offline users, meaning the sender must re-encrypt undelivered messages with new keys and send them again.

The sender is only notified that this has happened after the messages are resent if they have encryption warnings turned on, and the recipient is not notified.

This means that if the recipient is offline when a message is sent, an attacker who can register the receiving number with the WhatsApp server can read the resent, re-encrypted message.

“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys," Boelter told The Guardian.

He said he told Facebook about the issue in April 2016, but was told that it is not currently being worked on because it was "expected behaviour" for the app.

“The potential for governmental abuses from this misuse of encryption with WhatsApp is alarming," said Kevin Bocek, chief cyber security strategist at security firm Venafi.

"This is a serious vulnerability – WhatsApp needs to know how keys are protected in order to keep the global communications of over a billion users safe and private.

"This potential gap in security is a reminder for businesses of the power of cryptographic keys and how a lack of knowledge regarding their use can have serious consequences. Systems need to be in place to protect and change keys quickly, as and when needed.

"This is critical at a time when governments worldwide are attempting to break down and intrude on the use of encryption to protect privacy – what has become a basic right for both people and machines worldwide."

A WhatsApp spokesperson said the change of keys most commonly happens when a user gets a new phone or reinstalls the WhatsApp messaging app.

"This is because in many parts of the world, people frequently change devices and SIM cards," it told The Guardian. "In these situations, we want to make sure people’s messages are delivered, not lost in transit.”

Users can turn on WhatsApp security notifications in Settings > Account > Security.

For more on the vulnerability, see Boelter's blog post from April 2016.

Photo © Jan Persiel (CC BY-SA 2.0). Cropped.

Copyright Lyonsdown Limited 2021

Top Articles

Indian state government website leaked COVID-19 test results of millions

A security flaw in a website run by the West Bengal Government in India enabled a hacker to access COVID-19 test results and other personal information of millions of Indian…

Industrial IoT: Finding pre-existing threats inside industrial control systems

Industrial Internet of Things (IIoT) devices are a pressing concern for security teams.

PrismHR outage possibly caused by a ransomware attack, experts believe

PrismHR suffered a cyber attack last week which forced it to shut down its flagship software that serves thousands of organisations worldwide.

Related Articles