It appears that a backdoor in the Signal encryption protocol that WhatsApp uses to encrypt messages can be used to read the messages that people send and receive on the platform, according to reports.
According to Tobias Boelter, a cyber security expert at the University of California, Facebook, the parent company of WhatsApp, can easily access the messages of its clients who use the messaging platform by secretly changing the sets of public and private encryption keys that it uses for the messages.
‘If Facebook or even a hacker takes advantage of the exchange mechanism that WhatsApp uses, the company or hacker can comfortably read all the messages of users,’ Tobias adds.
According to The Guardian, the backdoor in question is a set of processes that WhatsApp conducts in the course of encrypting and decrypting the messages of its clients.
Ideally, the company generates a set of keys that it keeps as backup keys which it can use to facilitate the exchange of messages among users at any other given time.
In practice, WhatsApp is expected to use the keys to re-encrypt and then decrypt messages in cases where a receiver delays to get a message sent on the platform.
A common scenario is when a receiver of a message changes the device that the person uses to access WhatsApp after a message has been sent but not yet received. In such a case, the receiver will have to activate the old WhatsApp account on the new device, the Guardian explains.
However, when the receiver has to reactivate his or her account on the new device, WhatsApp has to encrypt the message afresh, using its backup keys before allowing the receiver to decrypt the messages using another set of keys.
It is in the course of this process that hackers and even Facebook can easily access the messages of people who use WhatsApp and other instant messaging services that use end-to-end encryption, Tobias explains.
However, it appears that WhatsApp and Facebook are of a different opinion. According to The Guardian, Facebook defended the backdoor back in April 2016, saying that the backdoor was necessary to make WhatsApp highly user-friendly.
Later, a spokesperson of the WhatsApp said that the feature was meant to help people who may be offline for any reason at any given time to still access their WhatsApp messages in a secure state later. It has been reported that the company has remained silent on the danger that its customers face if hackers manage to access the feature.