A cybersecurity researcher found a flaw in Facebook's WhatsApp's encrypted messaging program, creating a backdoor that could allow the company to view message content.
Tobias Boelter, a cybersecurity researcher at the University of California at Berkley, found WhatsApp's encryption setup could allow Facebook to read messages putting it in the position of having to turn over data to law enforcement if required, according to the Guardian. WhatsApp can force generate new encryption keys for messages that were sent through its system, but were not delivered for whatever reason. The new keys would give the company access.
WhatsApp's supposed inviolability and its reputation as being a safe haven from the prying eyes of the government could take a serious hit from this discovery.
“The potential for governmental abuses from this misuse of encryption with WhatsApp is alarming. This is a serious vulnerability – WhatsApp needs to know how keys are protected in order to keep the global communications of over a billion users safe and private,” said Kevin Bocek, Venafi's vice president of security strategy and threat intelligence.
Bocek also explained that while the flaw uncovered primarily exploits a specific issue to gain on-going access to many messages.
“The vulnerability identified enables an attack to gain access on an ongoing basis to presumed private messages. The vulnerability starts with undelivered messages and then allows an attacker to gain access thereafter to encrypted communications with the new keys generated. Because WhatsApp connects user identities with phone numbers attackers, such as law enforcement or intelligence services, are well positioned to exploit this without attacking Facebook directly,” he said to SC Media.
At the same time this news should act as a warning to anyone who believes their messaging or communications are truly secured.
"The primary “take away” from the recent release of information by researcher Tobias Boelter concerning WhatsApp, is that nothing is truly, 100 percent secure. Those that believe their privacy is being protected by a free App, owned by a social media company, need to come to terms with reality. When you put your privacy and secrecy in someone else's hands for zero dollars, you unfortunately get what you deserve,” Stephen Gates, chief intelligence analyst with NSFOCUS.