Your WhatsApp messages can easily be spied on, and Facebook made sure to keep it that way
WhatsApp's end-to-end encryption relies on the generation of unique security keys through the use of the Signal protocol. That's the same system that's used by the Signal messaging app that Edward Snowden vouched for. There's one key difference in WhatsApp's implementation, though.
The vulnerability was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” he said for the Guardian. Boelter contacted Facebook about the backdoor back in April 2016, but he was told by the company that this is actually “expected behavior” and it isn't being actively worked on.
Boelter's finding were confirmed by Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights. He said for The Guardian:
But what we've said so far, you could assume that this exploit could be used to spy only on single messages, and not entire conversations. However, Boelter thinks otherwise. “This is not true if you consider that the WhatsApp server can just forward messages without sending the 'message was received by recipient' notification (or the double tick), which users might not notice,” he said. “Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”
"A gold mine for security agencies"
Other cyber-security experts also commented the issue for The Guaridan. Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, called the backdoor “a gold mine for security agencies” and “a huge betrayal of user trust.” She believes that users should be concerned about it, and said: “Consumers will say, I've got nothing to hide, but you don't know what information is looked for and what connections are being made.”
Jim Killock, executive director of Open Rights Group, said: “If companies claim to offer end-to-end encryption, they should come clean if it is found to be compromised – whether through deliberately installed backdoors or security flaws. In the UK, the Investigatory Powers Act means that the technical capability notices could be used to compel companies to introduce flaws – which could leave people's data vulnerable.”
The Guardian reached out to WhatsApp, and the response it got sounds more like a sales pitch, than anything else.
When The Guardian asked specifically whether Facebook or WhatsApp had accessed users' messages, and whether either has done so at the request of a government agency, it was directed to Facebook's page that details the number of government requests for Facebook data.
The whole Facebook/WhatsApp privacy saga started in 2014, when Facebook acquired the messaging service, but Zuck and company have been on watchdog radars a while before that. We don't doubt that the existence of this backdoor will certainly add some more fuel to the fire.
source: The Guardian