WhatsApp has left vulnerability unchanged for almost a year

WhatsApp has still not resolved a vulnerability suggested in April 2016, according to The Guardian, based on a report from a security researcher. Messages can in theory be viewed by third parties via the vulnerability. According to the service, the weakness is by design.

The vulnerability was raised in April 2016 by security researcher Tobias Boelter. He found that there is a weakness in WhatsApp’s end-to-end encryption. If a user’s message is not sent, for example because it is offline, WhatsApp will send it anyway and forces the encryption with a new key. Only after the message has arrived at the recipient will they receive a notification that the encryption key has been changed.

This makes abuse possible, according to Boelter, who gives the example of sending two messages in succession, where the second does not arrive because the recipient is offline or because the WhatsApp server does not forward the message. The first message simply arrives via the encrypted channel to the actual recipient based on their public key. In the meantime, an attacker can register the recipient’s phone number through, for example, spoofing. WhatsApp will then automatically send the second message to the attacker based on the new encryption key that the service generates. Only after receipt does the sender see that his message has arrived at someone whose security code has been changed.

Boelter told The Guardian that changing the encryption keys, for example, enables government services to request messages from WhatsApp, also on a large scale. “The WhatsApp server can forward messages without indicating that they have been received by the recipient. Using the retransmission vulnerability, the WhatsApp server can get a transcript of an entire conversation, not just a single message.”

WhatsApp already announced last year that it was aware of the vulnerability, but that it is not yet working on solving it. The service said that this may still happen in the future, but almost a year later, it has still not been done.

The security of the chat service is based on the Signal protocol of Open Whisper Systems. That organization’s Signal app does not contain the issue. The app detects that the key has been changed and does not pass on the message. WhatsApp tells The Guardian that it wants to make sure that messages arrive anyway, even if security codes change. “In many parts of the world, people regularly change phones and SIMs.” The service points out that users can indicate in the security settings that they will receive a notification when a contact changes their security code.