A new WhatsApp vulnerability that allows Facebook and others to read the encrypted conversations has been found within the WhatsApp messaging service.Even though the company claims that WhatsApp is secure, this particular vulnerability shows that its messages can be read by Facebook due to end-to-end encryption protocol.The governments can easily use these kinds of vulnerabilities to snoop on users who believe their messages are secure.
WhatsApp encryption protocol depends on the encryption keys using the acclaimed signal protocol generated by Open Whisper Systems assures that the conversations are secure and cannot be interpreted.WhatsApp has the ability to force the creation of new encryption keys for offline users which is unknown to both sender and receiver.This makes the sender to re-encrypt the messages and send them again for any messages that is not yet delivered.The recipient is not notified about this and the sender is notified only if the sender has opted-in encryption warnings in Settings.This re-encryption allows to read the WhatsApp conversations effectively.
This vulnerability was discovered by Tobias Boelter,a cryptography and security researcher at the University of California,Berkeley.WhatsApp implementation automatically resend the message which is not yet delivered by generating new keys without notifying the sender and not giving chance to prevent it.The security researcher Boelter has already reported this vulnerability before but he was told by Facebook that they were aware of the issue and that its an expected behavior and was not being actively worked on.So it was verified by other specialists that the threat is still active.
Since WhatsApp is not capable of securing the messages and by re-generation of encryption keys the conversations can be interpreted and read by others,it provides an insecure platform.This vulnerability questions the privacy of the users across the world who trusts WhatsApp.
WhatsApp responded to this in a way that says that they does not give governments a backdoor into their systems and would fight against any request form governments to create a backdoor.There is an option in Settings->Account->Security->Show Security notifications which notifies when a contacts security code is changed.This is important because people constantly change mobile phones and sim cards which changes the security codes.Facebook assures that the messages will be secure and users won't be betrayed because of this vulnerability.