A security researcher has discovered a vulnerability in the messaging platform that allows third parties to intercept messages. Although notified in April, Facebook has failed to redress the security flaw.
Tobias Boelter, a cryptography researcher at the University of California in Berkeley, on Friday confirmed a report by “The Guardian” concerning a security flaw in the Facebook-owned WhatsApp messaging application.
“High-risk users of WhatsApp, like people who are communicating very sensitive information, they should definitely be worried. Governments could instruct WhatsApp to intercept their communication. WhatsApp themselves could intercept targeted messages,” Boelter told DW.
The security flaw concerns unique security keys that are exchanged between WhatsApp users and verified in order to ensure communication is not intercepted by a third party.
However, new encryption keys can be generated for offline users by WhatsApp or a third party, according to Boelter.
“Propriety closed-source crypto software is the wrong path. After all this – potentially malicious code – handles all our decrypted messages,” Boelter said in blog post in April.
“Next time the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI,” he added.
Meanwhile, WhatsApp said in a statement that the generation of new encryption keys for offline users or users using another device is a feature.
“We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp … In the situation, we want to make sure people’s messages are delivered, not lost in transit,” the company said in a statement.