WhatsApp Vulnerability? Safety of Encrypted Messages Called into Question

Febraury 1, 2017: In the weeks since the initial report on the WhatsApp backdoor, there has been much debate about the information presented. 30 security researchers signed a letter to the Guardian asking them to retract their origianl story for containing misleading information. Forbes also delved into the news, sharing more detail on waht information is asked of WhatsApp during government requests.

January 16, 2017: WhatsApp has long been touted as a highly-secure platform for messaging, employing strong end-to-end encryption to protect its user base and the privacy of their communications. As a result, millions of people around the world look to WhatsApp to communicate securely. Following a news report by the Guardian, however, the way we look at WhatsApp could be changing. Last week the Internet was abuzz with news that there is a vulnerability into WhatsApp’s encrypted messages. Despite the company’s claim that they are totally secure, a report put out by the Guardian on Friday raised much alarm when it pointed out insecurities in WhatsApp’s newest generation of encryption keys, and the way by which messages are re-sent.

As described by the Guardian, “WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.” 

WhatsApp was quick to respond, asserting that no backdoor into the messages exists, and government or other snooping is not possible. The creator of the encryption used in WhatsApp, Open Whisper Systems’ Moxie Marlinspike, stated in response that the new key method was purposefully implemented by design and “In no way constitutes a backdoor…WhatsApp gives users the option to be notified when those changes occur.” Marlinspike further said “under no circumstances is it reasonable to call this a ‘backdoor,” as key changes are immediately detected by the sender and can be verified.

Many others have chimed in online, affirming the implementation is nothing new for WhatsApp, and there is no backdoor or vulnerability present.We will update this post as more information becomes available, and you can read more about the developing situation from the sources below.