A security researcher and cryptographer from the University of California has discovered a vulnerability in Facebook’s WhatsApp messaging service that, if exploited, would allow a third party to snoop on the encrypted messages of over a billion people.
Across the world, in oppressive regimes and the post-Snowden West, journalists and activists have used WhatsApp’s secure messaging to communicate in confidentiality and privacy, making this discovery all the more alarming.
Facebook bought WhatsApp in 2014 for a hefty $22 billion and, in April 2016, implemented the Signal protocol, a respected end-to-end encryption methodology with no known weaknesses that is owned and developed by a company called Open Whisper Systems.
End-to-end encryption works by creating a unique pair of security keys for messages to verify and protect communication between users. It’s supposed to prevent the communications being read or intercepted and thus protect the privacy of users.
Researcher Tobias Boelter, however, discovered a problem with the way in which Facebook applies the Signal protocol.
While the company did implement the encryption protocol, it also applied a new function that would give WhatsApp the ability to resend undelivered messages. Herein lies the issue: in resending, the application generates a new unique security key which makes that individual message readable to WhatsApp.
In a statement, Whatsapp defended the resending of messages as a practical function: “In many parts of the world, people frequently change devices and SIM cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”
However, for many users who utilize the service because of its privacy feature, this function will raise alarm since it can be seen to weaken the Signal protocol and potentially exposes their private communications to governments, police, or hackers—albeit only in the context that a message goes undelivered.
It’s important to note that this vulnerability is not inherent in the Signal protocol. In fact when the protocol is implemented correctly and without meddling, as it is in Open Whisper Systems’ own separate messaging app also named Signal, it enables such secure messaging that it has been touted by NSA whistleblower Edward Snowden and renowned cryptographers.
End-to-end encryption is designed to minimize the data that even the service provider can access, hiding even the security keys. When Open Whisper Systems were handed a subpoena in 2016, requiring it to give up user data, it could only share when a user had signed up and the last time they had logged in.
However, due to the fact that WhatsApp can exploit access to undelivered messages via this function, it could land the company in a compromising legal place.
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter reported to the Guardian.
Facebook did not immediately respond to multiple requests for comment.
While WhatsApp clears up the mess and deals with whatever fallout may come from this privacy fumble, some privacy activists are recommending that concerned users download Signal to guarantee the highest levels of protection.