The WhatsApp messages are enabled to be spied after all
The British
newspaper "The Guardian " reveals that while Facebook ensures that
encrypted WhatsApp messages are tamper-evident, Tobias Boelter, an encryption
specialist and security researcher at the University of California, has
discovered that the application has "hidden access " that allows the
company to access messages and Provide a key to the authorities, so they can
spy on users.
This finding is causing outrage among online privacy advocates, who resemble cases of activists and diplomats who resort to this application to escape the control of governments and law enforcement agencies according to the paper.
Although the security protocol used by WhatsApp - Signal - does not have this vulnerability, the company has implemented this access for practical reasons of the program's operation, but that can be otherwise used by someone intending to access confidential information.
During communication between two users, the system creates keys verified by the two mobile phones in contact through the Signal protocol. Summarizing the problems in deepening technical details, the question is based on how the encryption of messages is done.
In theory, this communication is tamper-evident, but with the existing vulnerability, WhatsApp may change the key without users noticing it before the message is delivered to a user who is offline. With this new key, the system resends the messages to be delivered and, from that moment on, is able to access the contents sent.
The recipient of the message never notices these changes, but the sender may be advised of the change of the key if the crypto alert has been activated.
WhatsApp says vulnerability is not a bug, but a practical design issue. Without this possibility, it guarantees, if a user switches from mobile phone or phone number while offline, messages sent in the meantime would not be delivered, because the original key of the message would not be recognized on the new handset.
This feature will not be useful for advertising profiles by Facebook, but it may be useful for States wishing to spy on their citizens, according to "The Guardian ".
This finding is causing outrage among online privacy advocates, who resemble cases of activists and diplomats who resort to this application to escape the control of governments and law enforcement agencies according to the paper.
Although the security protocol used by WhatsApp - Signal - does not have this vulnerability, the company has implemented this access for practical reasons of the program's operation, but that can be otherwise used by someone intending to access confidential information.
During communication between two users, the system creates keys verified by the two mobile phones in contact through the Signal protocol. Summarizing the problems in deepening technical details, the question is based on how the encryption of messages is done.
In theory, this communication is tamper-evident, but with the existing vulnerability, WhatsApp may change the key without users noticing it before the message is delivered to a user who is offline. With this new key, the system resends the messages to be delivered and, from that moment on, is able to access the contents sent.
The recipient of the message never notices these changes, but the sender may be advised of the change of the key if the crypto alert has been activated.
WhatsApp says vulnerability is not a bug, but a practical design issue. Without this possibility, it guarantees, if a user switches from mobile phone or phone number while offline, messages sent in the meantime would not be delivered, because the original key of the message would not be recognized on the new handset.
This feature will not be useful for advertising profiles by Facebook, but it may be useful for States wishing to spy on their citizens, according to "The Guardian ".
