WhatsApp Security: make this change right now (backdoor) !

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
source: WhatsApp Security: make this change right now! - gHacks Tech News

WhatsApp Security: make this change right now!

Security researchers found a backdoor in the popular messaging application WhatsApp recently that could allow WhatsApp to intercept and read user messages.

Facebook, the owner of WhatsApp, claims that it is impossible to intercept messages on WhatsApp thanks to the services end-to-end encryption. The company states that no one, not even itself, can read what is sent when both sender and recipient use the latest version of the application.

WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp. Your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read your message. For added protection, every message you send has a unique lock and key. All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages.

It turns out however that there is a way for WhatsApp to read user messages, as security researcher Tobias Boelter (via The Guardian) found out.

Update: In a statement sent to Ghacks, a WhatsApp spokesperson provided the following insight on the claim:

“The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. ** This claim is false. **

WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security
notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report. (https://govtrequests.facebook.com/)”


WhatsApp has the power to generate new encryption keys for users who are not online. Both the sender and the recipient of messages are not made aware of that, and the sender would send any message not yet delivered again by using the new encryption key to protect the messages from third-party access.

The recipient of the message is not made aware of that. The sender, only if Whatsapp is configured to display security notifications. This option is however not enabled by default.

While WhatsApp users cannot block the company — or any state actors requesting data — from taking advantage of the loophole, they can at least activate security notifications in the application.

The security researcher reported the vulnerability to Facebook in April 2016 according to The Guardian. Facebook’s response was that it was “intended behavior” according to the newspaper.
 

Entreri

Level 7
Verified
May 25, 2015
342
I expected this, given the Snowden disclosures. I also expect every major product, software/hardware to have some kind of backdoor.

The FBI is putting on a good show.

Some intelligence agencies have switched to typewriters for their most sensitive documents.
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Oh well, I use Whatsapp mainly for trivial conversations with friends and colleagues.
But obviously, the more a service is big with billions of users, the more it can be manipulated.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top