After Guardian’s post early on Whats App vulnerability was published last week, security experts from all over the word have been discussing the validity of this vulnerability and intensions behind it. Facebook denied this as a vulnerability going against Guardian and the intension behind it as design decision.
However some of the most respected security experts like Bruce Schneier has backed up Guardian with a article from Rolf Weber posted during March 2016 which demonstrated the defeat of Facebook’s end-to-end encryption.
Facebook has the capability to force generate new encryption keys for offline users without knowing to the user and then re-encrypt the message again with new keys before sending the message back to the user. Rebroadcasting takes place here and the user thinks everything is fine whereas in reality what’s app server controls the re transit of the messages. In a true end to end encryption, the messages must not be delivered and the user must be notified when he/she comes back online when new keys are generated.
This means, a Facebook server, government snooping or a hacker may be able to intercept and do the same completely defeating Facebook’s claim of end to end encryption.
The security vulnerability was discovered by Tobias Boelter, a security researcher from University of California, Berkeley, as published on Guardian. Tobias reported this to Facebook but fb didn’t bother to address the concern which is not new based on prior history. (White hat #1008534892515816)
Tobias told the Guardian that “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
Tobias demonstrates the flaw in video below.
Tobias also demonstrates the same with Voice.
The whole issue may not be a issue in many ways but it is a issue if Facebook holds on to the claim of end-to-encryption drama. We hope Facebook takes sone responsibility and tries to fix and make it a true end-to-end encryption.