WhatsApp is one of the many applications that offers E2EE, having introduced it in November of 2014 using Open Whisper Systems’ acclaimed Signal protocol.
Snowden himself has suggested the Signal app as a safe way to communicate.
However, the Guardian newspaper reported on Friday that WhatsApp has a backdoor that exposes its users to potential snooping.
The vulnerability lies in the way the application handles a change of encryption key, which usually happens when one party in the exchange changes their device or sim-card, or reinstalls the app.
If a malicious party were to take control of a WhatsApp server, it could force a change in the encryption key and install itself as a relay point, intercepting and reading all messages in the process, meaning the re-encrypted, resent messages would be exposed immediately.
Moreover, if the key change notifications were not turned on, there would be no way for the users to realize that they were being snooped on.
By comparison, the Signal app, which uses the same protocol, always notifies users of encryption key changes and does not automatically re-encrypt and resend messages.
This type of attack would be hard for a common criminal to carry out, considering that WhatsApp servers are well-protected from hacking, but a government agency could theoretically force the company to do this.
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, told the British newspaper.
After the publication of the Guardian report, WhatsApp issued a statement saying: “WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor.”
The newspaper changed its article accordingly, calling the potential for a key change attack a “vulnerability,” rather than a “backdoor” – a term implying that the vulnerability had been left deliberately.
The Verge report says that the loophole was a trade-off between user convenience and security, with WhatsApp choosing to make concessions to appeal to less tech-savvy users. It argues that a government would not be able to exploit the vulnerability for mass surveillance because it would not be able to conceal it from users.
“It’s not a particularly useful technique for law enforcement: the target would be notified, and investigators wouldn’t get as much information as they would from an SMS login hijack or simply mugging the target when her phone is unlocked.
But if an ambitious prosecutor wanted to score points in the encryption debate, it could be a very tempting subpoena to file,” the report points out.
"The Controversial Truth" Project
Please Follow Us on As many As possible to ensure we cannot be censored or shut down.
(LIKE, SHARE, COMMENT, SUPPORT US & FOLLOW)