The Guardian newspaper has reported that the popular messaging platform WhatsApp is vulnerable to interception, sparking concern over an app advertised as putting an emphasis on privacy. The report said that WhatsApp messages could be read without its billion-plus users knowing due to a security backdoor in the way the company has implemented its end-to-end encryption protocol.
WhatsApp has denied claims of vulnerability, described as 'backdoor', saying that it's a security feature related to message delivery in order to ensure messages don't get lost in transit. The system relies on unique security keys "that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman," the report said.
But WhatsApp can force the generation of new encryption keys for offline users "unbeknown to the sender and recipient of the messages," it said.
Tobias Boelter, a cryptography researcher at the University of California told the Guardian: "If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys." Boelter said he had reported the backdoor vulnerability to Facebook in April 2016 and was told that Facebook was already aware of the issue but that it was not actively being worked on.
The company said in a statement that it provided a "simple, fast, reliable and secure" service, and that there was a way of notifying users when a contact's security code had changed.
"We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp.... In these situations, we want to make sure people's messages are delivered, not lost in transit," it said in a statement.