A security bug at WhatsApp could help bring an end-to-end encryption as owner Facebook has promised. The bug could allow encrypted messages to be intercepted from the popular messaging app.
All communications such as text messages, videos and other files flowing the service would be encrypted, WhatsApp, acquired by Facebook in 2014, said last year. With more than 1 billion users, the app has become hugely popular.
Cryptography and security researcher Tobias Boelter at the University of California-Berkeley contacted WhatsApp about a flaw he had found in the app at about the time that WhatsApp announced its end-to-end encryption. He says that an attacker or WhatsApp itself can intercept undelivered messages — perhaps because the receiver of the message was offline or had changed their phone number, he found.
New encryption keys could be intercepted by a third party that is not WhatsApp and WhatsApp makes new encryption keys for undelivered messages. WhatsApp itself has it on its servers, too since it is generating another version of the message.
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter said in an interview with The Guardian.
Boelter also wrote about the situation on his blog in May saying that “next time the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI” and also did a presentation on the WhatsApp vulnerability earlier this year — a video is posted on Twitter.
in May, Facebook told him the company is not “actively working on changing” it after he contacted Facebook and WhatsApp about the vulnerability in April 2016.
So that they know when a contact’s key or code is changed, users can change their security settings, a WhatsApp spokesperson told The Guardian.
“We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit,” the company told The Guardian.
There was another issue also that had made privacy advocates concerned with WhatsApp. As a way to better serve users and fight spam, WhatsApp said it would begin sharing data with Facebook in August 2016. But privacy groups, including Electronic Privacy Information Center, were led to file complaints with the Federal Trade Commission by the requirement that users opt-out of the feature.
The move was called an “unfair and deceptive trade practice” by EPIC. Facebook “gave us incorrect or misleading information during the investigation into its acquisition of WhatsApp,” said European Union Commissioner Margrethe Vestager.
(Adapted from CNBC)