Boelter reported the backdoor vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the backdoor still exists.
The backdoor is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.
This is described as a “retransmission vulnerability” by Boelter, and claimed as a route for messages to be intercepted and read — and thus as a potential backdoor in WhatsApp’s end-to-end encryption.
It highlights the need for key transparency (Security Through Transparency) Encryption is a foundational technology for the web.
End to end encryption is a way of transmitting a message so that it can only be read by the intended recipient, not intercepted by accessing the servers or the networks via which the message is sent.
Experts said the findings were"serious" and "alarming" at a time when governments are looking for ways to bypass encryption, and criticised the company for violating users' privacy.
"The potential for government abuses from this misuse of encryption with WhatsApp is alarming," said Kevin Bocek, chief cyber security strategist at Venafi. "This is a serious vulnerability."
Thanks for stopping by. I welcome your thoughts, comments and tips. Please use the contact form to get in touch.