WhatsApp features a security backdoor which can be used by parent Facebook, and potentially even governments, to read encrypted messages, The Guardian reported.
The discovery was made by Tobias Boelter, a security researcher at the University of California. Berkeley told the newspaper WhatsApp “can effectively grant access” to government agencies if they request the company disclose its messaging records.
Brazil’s government blocked WhatsApp in the past for repeatedly failing to give it access to messages which could help in a drugs case. WhatsApp consistently claimed it does not have access to messages itself after introducing end-to-end encryption for all data sent via its messaging app in April 2016.
The Guardian report explains WhatsApp’s encryption utilises unique security keys, but if a message is undelivered the app will automatically resend it with a new key without warning the user. This re-encryption allows WhatsApp to intercept and read messages.
Boelter said he informed Facebook of the issue in April 2016, but was told it was “expected behaviour”.
The Guardian quoted Jim Killock, executive director of Open Rights Group, as saying: “If companies claim to offer end-to-end encryption, they should come clean if it is found to be compromised – whether through deliberately installed backdoors or security flaws.”
A WhatsApp spokesperson said there is an option in the app which notifies users when a contact’s security code changes, which usually happens when they switch phones or reinstall the app.
“In these situations, we want to make sure people’s messages are delivered, not lost in transit,” they said.
WhatsApp also faced scrutiny from several countries and organisations, including watchdogs in Europe and the FTC in the US, ever since it said it was going to pass on some user information to Facebook.