Facebook-owned WhatsApp proudly taps their back in front of the customers on the fact that they’ve enabled end-to-end encryption for all the messages and calls made through the instant messaging app. They say no one, except the sender and the receiver, of the message can read it. But their claims appear to be incompletely true after The Guardian reported about a new research done by UC Berkeley researcher Tobias Boelter.
According to Boelter, Whatsapp’s encryption system has a loophole (or a backdoor) that allows Facebook and friends to access the “encrypted” messages. To enable encryption, a unique cryptographic key exchange takes place between the sender and receiver. The key encrypts or decrypts the messages.
The research throws light on the fact that Facebook (via WhatsApp) can change the cryptographic key for any undelivered message – when the app is not connected to the internet – which in turn allows them to read it. “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter told The Guardian.
Boelter informed Facebook about the issue in April last year, but the company was already aware of the same in advance and wasn’t interested in fixing it. The loophole (backdoor) still exists and there is no way for the user to prevent it. However, there is a feature in WhatsApp that notifies the user if the encryption key changed. It can be found in Settings>Account>Security>”Show security notifications”.
After initially hesitating for a comment, WhatsApp later said in a statement they don’t help the government with any “backdoor” and they would resist if they are asked to create one.