Security researchers revealed a security backdoor within WhatsApp messaging service, which can be used to snoop on encrypted dialogs. WhatsApp’s parent company, Facebook, claims that nobody can intercept these messages, not even the company and its staff. However, according to recent research, Facebook could in fact read messages thanks to the way WhatsApp has implemented its encryption.



Of course, privacy campaigners were outraged and claimed that the vulnerability threatened the freedom of speech, as it could be used by state agencies to spy on unsuspecting people. It must be said that WhatsApp has made privacy its primary selling point after enabling end-to-end encryption, thus becoming the most popular communications tool of activists and journalists.

So, what is the problem of its encryption? It is known to rely on the generation of unique security keys traded and verified between users, which cannot be intercepted by a third party. Nevertheless, WhatsApp can force the generation of new encryption keys for offline users without their knowledge and make the sender re-encrypt messages with new keys and resend them. Such re-encryption and rebroadcasting allow WhatsApp to intercept and read the dialogs, while the recipient is not notified of this, and the sender is only notified in case of enabling the encryption warnings in settings.

The vulnerability was discovered by a cryptography and security researcher at the University of California, Berkeley, and it is known that it is not inherent to the protocol used by WhatsApp, because other platforms that use the same protocol do not behave like this. In short words, unlike other apps, WhatsApp automatically resends an undelivered message encrypted with a new key without warning the sender in advance or allowing to prevent it.

The flaw was reported to Facebook 9 months ago, but the company said this was normal and was not going to actively work on it. So far, the backdoor still exists and calls into question the privacy of messages sent via WhatsApp. Some experts recalled that concerns over the privacy of WhatsApp users have repeatedly arisen since Facebook acquired it in 2014. Over these years, Facebook changed WhatsApp’s privacy policy by allowing to merge data from WhatsApp users and Facebook for advertising and development purposes.