Your WhatsApp messages can easily be spied on, and Facebook made sure to keep it that way


UPDATE: WhatsApp reached to us with a statement on the matter. Here's the full print:


In a lot of people's minds, Facebook is this huge cyber villain that gathers data on everyone and keeps tabs, not unlike Orwell's Big Brother. And after coming across some information in The Guardian, we can't really blame them.

Facebook repeatedly claimed that no one can spy on WhatsApp messages, not even its own staff. These claims came after the company was in the hot seat, due to its acquisition of the IM service and its questionable change to WhatsApp's privacy policy. However, a security backdoor has been discovered in the WhatsApp service that allows Facebook and third-party hackers to intercept and read said encrypted messages.

WhatsApp's end-to-end encryption relies on the generation of unique security keys through the use of the Signal protocol. That's the same system that's used by the Signal messaging app that Edward Snowden vouched for. There's one key difference in WhatsApp's implementation, though.

WhatsApp has the ability to force the generation of new encryption keys for offline users, without the knowledge of neither the sender, nor the recipient. It can then make the sender re-encrypt the messages with the new keys and send them again if they were not marked as delivered prior to that. The recipient is not notified about the new encryption keys, and the sender is only prompted if they have specifically opted-in to encryption warnings in the settings, and only after the message has been successfully sent. This means that, by the time the sender is notified of the change, a third party could have received the new messages already.

The vulnerability was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” he said for the Guardian. Boelter contacted Facebook about the backdoor back in April 2016, but he was told by the company that this is actually “expected behavior” and it isn't being actively worked on.

Boelter's finding were confirmed by Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights. He said for The Guardian:


But what we've said so far, you could assume that this exploit could be used to spy only on single messages, and not entire conversations. However, Boelter thinks otherwise. “This is not true if you consider that the WhatsApp server can just forward messages without sending the 'message was received by recipient' notification (or the double tick), which users might not notice,” he said. “Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”


Other cyber-security experts also commented the issue for The Guaridan. Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, called the backdoor “a gold mine for security agencies” and “a huge betrayal of user trust.” She believes that users should be concerned about it, and said: “Consumers will say, I've got nothing to hide, but you don't know what information is looked for and what connections are being made.”

Jim Killock, executive director of Open Rights Group, said: “If companies claim to offer end-to-end encryption, they should come clean if it is found to be compromised – whether through deliberately installed backdoors or security flaws. In the UK, the Investigatory Powers Act means that the technical capability notices could be used to compel companies to introduce flaws – which could leave people's data vulnerable.”

The Guardian reached out to WhatsApp, and the response it got sounds more like a sales pitch, than anything else.


When The Guardian asked specifically whether Facebook or WhatsApp had accessed users' messages, and whether either has done so at the request of a government agency, it was directed to Facebook's page that details the number of government requests for Facebook data.

The whole Facebook/WhatsApp privacy saga started in 2014, when Facebook acquired the messaging service, but Zuck and company have been on watchdog radars a while before that. We don't doubt that the existence of this backdoor will certainly add some more fuel to the fire.

source: The Guardian

FEATURED VIDEO

18 Comments

1. trojan_horse

Posts: 5868; Member since: May 06, 2016

Another WhatsApp vulnerability! I'll be on the lookout, from now on... Thanks for the heads up!

2. GreenMan

Posts: 2697; Member since: Nov 09, 2015

Facebook, eh? Aye, thought so... Er... So... (Scratches the head)... Does it mean that all texts sent over What'sApp are spy-able...? Hmmm... Well... Yeah.. Can't say I didn't see it coming... It's Facebook, after all...! Oh well... I'm going to use it anyway cause I'm no drug lord or perhaps, a celebrity... Got nothing to hide from the law, the media and/or the public... I shall keep on using it not because I don't care about my privacy (which I do) but because most (if not all) people I know are available on What'sApp... And most of my texts are nothing more than fluffy pieces with 'cute' emojis every now and then... In other words, not too interesting for the likes of MI6 and CIA... Or perhaps Mossad or whatever...! Oh well, eh? G'Day!

5. BlueVisionist

Posts: 23; Member since: Nov 07, 2016

eh???

7. SYSTEM_LORD

Posts: 1168; Member since: Oct 05, 2015

Mossad is right! Ha, I'm glad you realize that!

3. Wiencon

Posts: 2278; Member since: Aug 06, 2014

Whatsup sucks anyway in my opinion, Viber or iMessages are better. I suppose Allo is as well

4. Podrick

Posts: 1285; Member since: Aug 19, 2015

iMessage is available only on iDevices unfortunately.

9. mikehunta727 unregistered

I know, sucks. Hopefully RCS rolls out quicker to everyone

6. mahima

Posts: 729; Member since: Nov 20, 2014

you can steal my message anytime... nothing that can get me in jail or that can put a country into danger!!

8. kiko007

Posts: 7493; Member since: Feb 17, 2016

So you're okay with them siphoning your personal messages if they tell you its for "security" purposes? I don't understand that line of thought.

11. mikehunta727 unregistered

"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say,"

10. Abdbaas

Posts: 141; Member since: Apr 05, 2016

Telegram all the way

12. FlySheikh

Posts: 444; Member since: Oct 02, 2015

Privacy is a myth..

13. Tziggy14

Posts: 624; Member since: Sep 02, 2014

Funny all fingers are pointed at Facebook, and not Google, who has far far more data collection methods to their income.

14. fancollo

Posts: 130; Member since: Dec 30, 2015

I don't use Whatsapp. Not for security reasons though, because there's no security or privacy in using messaging apps. Today it's again Whatsapp, tomorrow it'll be Telegram, then imessage, then facebook messenger. If you care about security and privacy, you simply can't use messengers.

15. MrElectrifyer

Posts: 3960; Member since: Oct 21, 2014

"“Consumers will say, I've got nothing to hide, but you don't know what information is looked for and what connections are being made.” Couldn't have said it any better. People tend to forget the simple fact that values change, the data doesn't. What the average joe sees as merely a "conversation" could easily be used as a means of acquiring people's details, and using that as a lead for other means... As for WhatsApp, said it from the very start, and I'll say it again, there's nothing like privacy in the hands of facecrook. Mark Zukerbitch has long proven to be a pathological liar, expecting that to change is merely delusional.

16. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

Is there a safe im app (except iMessage)? I would like to use one when I'm messaging my Android user friends.

17. trojan_horse

Posts: 5868; Member since: May 06, 2016

So, you think iMessage is the safe one? Not suprised reading that from you, anyways.

18. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

Yes I'm going to think iMessage is safe until I'm going to hear reports of unauthorized reading of messages. You should worry less about what I'm using and more about what you are using.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.