Your WhatsApp messages can easily be spied on, and Facebook made sure to keep it that way

In a lot of people's minds, Facebook is this huge cyber villain that gathers data on everyone and keeps tabs, not unlike Orwell's Big Brother. And after coming across some information in The Guardian, we can't really blame them.

Facebook repeatedly claimed that no one can spy on WhatsApp messages, not even its own staff. These claims came after the company was in the hot seat, due to its acquisition of the IM service and its questionable change to WhatsApp's privacy policy. However, a security backdoor has been discovered in the WhatsApp service that allows Facebook and third-party hackers to intercept and read said encrypted messages.

WhatsApp's end-to-end encryption relies on the generation of unique security keys through the use of the Signal protocol. That's the same system that's used by the Signal messaging app that Edward Snowden vouched for. There's one key difference in WhatsApp's implementation, though.

WhatsApp has the ability to force the generation of new encryption keys for offline users, without the knowledge of neither the sender, nor the recipient. It can then make the sender re-encrypt the messages with the new keys and send them again if they were not marked as delivered prior to that. The recipient is not notified about the new encryption keys, and the sender is only prompted if they have specifically opted-in to encryption warnings in the settings, and only after the message has been successfully sent. This means that, by the time the sender is notified of the change, a third party could have received the new messages already.

The vulnerability was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” he said for the Guardian. Boelter contacted Facebook about the backdoor back in April 2016, but he was told by the company that this is actually “expected behavior” and it isn't being actively worked on.

Boelter's finding were confirmed by Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights. He said for The Guardian:


But what we've said so far, you could assume that this exploit could be used to spy only on single messages, and not entire conversations. However, Boelter thinks otherwise. “This is not true if you consider that the WhatsApp server can just forward messages without sending the 'message was received by recipient' notification (or the double tick), which users might not notice,” he said. “Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”

"A gold mine for security agencies"

Other cyber-security experts also commented the issue for The Guaridan. Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, called the backdoor “a gold mine for security agencies” and “a huge betrayal of user trust.” She believes that users should be concerned about it, and said: “Consumers will say, I've got nothing to hide, but you don't know what information is looked for and what connections are being made.”

Jim Killock, executive director of Open Rights Group, said: “If companies claim to offer end-to-end encryption, they should come clean if it is found to be compromised – whether through deliberately installed backdoors or security flaws. In the UK, the Investigatory Powers Act means that the technical capability notices could be used to compel companies to introduce flaws – which could leave people's data vulnerable.”

The Guardian reached out to WhatsApp, and the response it got sounds more like a sales pitch, than anything else.