WhatsApp’s reported vulnerability is actually a security feature

The reported “back door” which can give access to others to intercept WhatsApp messages is not a vulnerability but a security feature of encryption from WhatsApp.

The Guardian’s report on the backdoor which can allow Facebook and others to intercept and read encrypted messages spooked everyone yesterday. The issue was the inability of users to understand why encryption key changes itself whenever someone switches phone, changes one’s phone number or re-installs the app.

The Guardian reported this change of encryption key to be a security loophole which can give others and government access to users’ messages and information.

WhatsApp statement

WhatsApp responded that it is not a security loophole and it’s very disappointing how Guardian misled users. This is actually how the cryptography works. The statement reads,

“WhatsApp’s encryption uses Signal Protocol, as detailed in the technical whitepaper. In systems that deploy Signal Protocol, each client is cryptographically identified by a key pair composed of a public key and a private key. The public key is advertised publicly, through the server, while the private key remains private on the user’s device.

This identity key pair is bound into the encrypted channel that’s established between two parties when they exchange messages, and is exposed through the “safety number” (aka “security code” in WhatsApp) that participants can check to verify the privacy of their communication.

Most end-to-end encrypted communication systems have something that resembles this type of verification, because otherwise an attacker who compromised the server could lie about a user’s public key, and instead advertise a key which the attacker knows the corresponding private key for. This is called a “man in the middle” attack, or MITM, and is endemic to public key cryptography, not just WhatsApp.

WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.”

WhatsApp users should turn on security notifications by accessing Settings > Account > Security to avoid any security risk.