WhatsApp encryption vulnerability allows messages to be intercepted

WhatsApp encryption vulnerability allows messages to be intercepted

WhatsApp tackles online fraud with new 'suspicious link detection' feature

A WhatsApp encryption vulnerability may enable messages sent using the service to be intercepted, a security expert has revealed.

Tobias Boelter, a researcher at the University of California, found an issue that allows the way data is encrypted to be changed without users’ consent, according to The Guardian.

He said WhatsApp can force the generation of new encryption keys for offline users, meaning the sender must re-encrypt undelivered messages with new keys and send them again.

The sender is only notified that this has happened after the messages are resent if they have encryption warnings turned on, and the recipient is not notified.

This means that if the recipient is offline when a message is sent, an attacker who can register the receiving number with the WhatsApp server can read the resent, re-encrypted message.

“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter told The Guardian.

He said he told Facebook about the issue in April 2016, but was told that it is not currently being worked on because it was “expected behaviour” for the app.

“The potential for governmental abuses from this misuse of encryption with WhatsApp is alarming,” said Kevin Bocek, chief cyber security strategist at security firm Venafi.

“This is a serious vulnerability – WhatsApp needs to know how keys are protected in order to keep the global communications of over a billion users safe and private.

“This potential gap in security is a reminder for businesses of the power of cryptographic keys and how a lack of knowledge regarding their use can have serious consequences. Systems need to be in place to protect and change keys quickly, as and when needed.

“This is critical at a time when governments worldwide are attempting to break down and intrude on the use of encryption to protect privacy – what has become a basic right for both people and machines worldwide.”

A WhatsApp spokesperson said the change of keys most commonly happens when a user gets a new phone or reinstalls the WhatsApp messaging app.

“This is because in many parts of the world, people frequently change devices and SIM cards,” it told The Guardian. “In these situations, we want to make sure people’s messages are delivered, not lost in transit.”

Users can turn on WhatsApp security notifications in Settings > Account > Security.

For more on the vulnerability, see Boelter’s blog post from April 2016.


Photo © Jan Persiel (CC BY-SA 2.0). Cropped.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]