WhatsApp is one of the many cross-platform messaging services that promise their users end-to-end encryption. Ideally, this would mean that only the participants in the conversation will be able to read the messages and no one else, not even WhatsApp, will have access to them. However, according to a new report, there’s a WhatsApp bug that might enable snooping of encrypted messages.
The Guardian reports that a security researcher at the University of California, Berkeley by the name of Tobias Boelter has found a WhatsApp bug that’s related to how the app handles offline messages. The bug may actually be the result of the manner in which WhatsApp handles offline messages.
End-to-end encryption doesn’t work unless both users have two parts of the secure key that’s used to encrypt and then decrypt the message. Anyone who doesn’t have that automatically and randomly generated key can’t access the messages.
It looks like WhatsApp has compromised that system itself to ensure that messages are always sent even if the recipient is offline. According to the report, WhatsApp has the ability to force the generation of new encryption keys for offline users without the knowledge of the sender and the recipient thus making the sender re-encrypt messages with new keys and send them again for any and all messages that have not been marked as delivered.
While this doesn’t mean that hackers will be able to take advantage of the bug, it does leave the door open to governments who when armed with an appropriate court order can call on WhatsApp to leverage this bug and provide them with access to encrypted messages.
“WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor,” the Facebook-owned company said in a statement.