WhatsApp has denied the reports that encrypted messages on its platform can be read or intercepted, saying it has a design decision relating to message delivery, with new keys being generated for offline users in order to ensure messages do not get lost in transit.
The Guardian reported on Friday that a security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.
“The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a ‘backdoor’ allowing governments to force WhatsApp to decrypt message streams. This claim is false,” said a company spokesperson in a statement sent to TechCrunch.
WhatsApp said that it does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor.
“The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks,” the statement added.
WhatsApp has published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.
The security issue was detected by Tobias Boelter, a cryptography and security researcher and reported by the Guardian.
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter was quoted as saying.
However, many security commentators have said that the vulnerability being claimed to be discovered is nothing new “but rather a rehashing of the long-standing issue of how key verification is implemented within an encrypted system.”
“If someone would demand WhatsApp to implement a backdoor, you might expect them to implement something more obvious. Like responding with the history of all conversations when triggered to so do with a certain secret message. Furthermore, this flaw can be explained as a programming bug,” Boelter was quoted as saying.
He said that Facebook did not fix the flaw since he reported it to them in April 2016.
“So maybe it was a bug first, but when discovered it got started being used as a backdoor,” he added.