- The 16-inch MacBook Pro is a beast, and it has a decent keyboard 3 Years Ago
- This group is scanning thousands of faces in Congress today to protest facial recognition 3 Years Ago
- Why everyone is debating Pete Buttigieg’s Medicare for All stance? Today 10:47 AM
- The Motorola Razr is a foldable homage to millennial nostalgia Today 10:22 AM
- The ‘I’m baby’ meme gets much more literal on TikTok Today 10:20 AM
- MrDeadMoth avoids jail time for assaulting pregnant partner during live stream Today 9:21 AM
- Deval Patrick 2020 fever is not catching on Today 9:08 AM
- How to stream Steelers vs. Browns on Thursday Night Football Today 8:13 AM
- How to stream Mexico vs. Netherlands in the U-17 World Cup semis Today 6:46 AM
- ‘Waves’ wrestles with the family drama and breaks it in half Today 6:30 AM
- QAnon-touting congressman sneaks ‘Epstein Didn’t Kill Himself’ into tweets Wednesday 7:12 PM
- Ocasio-Cortez met a famous drag queen–and the right melted down Wednesday 6:09 PM
- Woman says Lyft driver tried to kidnap her Wednesday 5:18 PM
- Debunking the right-wing conspiracy theories from the impeachment hearing Wednesday 4:29 PM
- Maroon 5 approves of the latest TikTok trend Wednesday 3:54 PM
A security researcher and cryptographer from the University of California has discovered a vulnerability in Facebook’s WhatsApp messaging service that, if exploited, would allegedly allow a third party to snoop on the encrypted messages of over a billion people, the Guardian reports.
However, the company behind the encryption technology has disputed the security researcher’s claims.
Across the world, in oppressive regimes and the post-Snowden West, journalists and activists have used WhatsApp’s secure messaging to communicate in confidentiality and privacy, making this discovery all the more alarming.
Facebook bought WhatsApp in 2014 for a hefty $22 billion and, in April 2016, implemented the Signal protocol, a respected end-to-end encryption methodology with no known weaknesses that is owned and developed by a company called Open Whisper Systems.
End-to-end encryption works by creating a unique pair of security keys for messages to verify and protect communication between users. It’s supposed to prevent the communications being read or intercepted and thus protect the privacy of users.
Researcher Tobias Boelter, however, says he discovered a problem with the way in which Facebook applies the Signal protocol.
While the company did implement the encryption protocol, it also applied a new function that would give WhatsApp the ability to resend undelivered messages. In resending, the application generates a new unique security key, which makes that individual message readable to WhatsApp.
In a statement, WhatsApp defended the resending of messages as a practical function: “In many parts of the world, people frequently change devices and SIM cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”
However, for many users who utilize the service because of its privacy feature, this function could raise alarm since it can be seen to weaken the Signal protocol, according to Boelter, and allegedly exposes their private communications to governments, police, or hackers—albeit only in the context that a message goes undelivered.
Open Whisper Systems says this interpretation is entirely incorrect, explaining in a lengthy blog post in response to the Guardian article:
The fact that WhatsApp handles key changes is not a “backdoor,” it is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.
The only question it might be reasonable to ask is whether these safety number change notifications should be “blocking” or “non-blocking.” In other words, when a contact’s key changes, should WhatsApp require the user to manually verify the new key before continuing, or should WhatsApp display an advisory notification and continue without blocking the user.
Signal went on to say that it feels WhatsApp’s choice to display the non-blocking notification is appropriate. “It provides transparent and cryptographically guaranteed confidence in the privacy of a user’s communication, along with a simple user experience,” the company said.
It’s important to note that the issue Boelter raises is not inherent in the Signal protocol, according to the Guardian, which has been touted by NSA whistleblower Edward Snowden and renowned cryptographers.
End-to-end encryption is designed to minimize the data that even the service provider can access, hiding even the security keys. When Open Whisper Systems were handed a subpoena in 2016, requiring it to give up user data, it could only share when a user had signed up and the last time they had logged in.
However, if in fact WhatsApp can exploit access to undelivered messages via this function, it could land the company in a compromising legal place, according to Boelter.
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter reported to the Guardian.
Facebook did not immediately respond to multiple requests for comment.
Update 6:50pm CT, Jan. 13: Open Whisper Systems has disputed the Guardian‘s report. We have updated our story, including the headline, to reflect the new information provided by the company.
David Gilmour is a reporter who specializes in national politics, internet culture, and technology.