WhatsApp has a security bug that could allow encrypted messages to be intercepted from the popular messaging app that owner Facebook has said promises end-to-end encryption.
WhatsApp, acquired by Facebook in 2014, said last year that all communications such as text messages, videos and other files flowing the service would be encrypted. The app has become hugely popular, with more than 1 billion users.
About the time that WhatsApp announced its end-to-end encryption, cryptography and security researcher Tobias Boelter at the University of California-Berkeley contacted WhatsApp about a flaw he had found in the app. He found that undelivered messages — perhaps because the receiver of the message was offline or had changed their phone number — could be intercepted either by an attacker or WhatsApp itself, he says.
That's because WhatsApp makes new encryption keys for undelivered messages and those could be intercepted by a third party that is not WhatsApp. WhatsApp itself, since it is generating another version of the message, has it on its servers, too.
In an interview with The Guardian, Boelter said, "If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys."
Boelter also did a presentation on the WhatsApp vulnerability earlier this year — a video is posted on Twitter— and wrote about the situation on his blog in May saying that "next time the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI."
He contacted Facebook and WhatsApp about the vulnerability in April 2016 and, in May, Facebook told him the company is not "actively working on changing" it.
A WhatsApp spokesperson told The Guardian that users can change their security settings so that they know when a contact's key or code is changed. "We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people's messages are delivered, not lost in transit," the company told The Guardian.
Privacy advocates had been concerned with WhatsApp on another issue, too. In August 2016, WhatsApp said it would begin sharing data with Facebook, as a way to better serve users and fight spam. But the requirement that users opt-out of the feature led privacy groups including Electronic Privacy Information Center to file complaints with the Federal Trade Commission.
EPIC called the move an "unfair and deceptive trade practice." And European Union Commissioner Margrethe Vestager said Facebook "gave us incorrect or misleading information during the investigation into its acquisition of WhatsApp."