A WhatsApp bug could enable government agencies to read encrypted messages, research suggests.
Security expert Thomas Boelter has uncovered a flaw in the app that means it could be possible to snoop on messages when encryption keys are reissued.
If you a send a WhatsApp message to a phone which is offline, the app will attempt to resend it when the phone comes back online.
But if the recipient moves their WhatsApp account while they are offline to a different phone, the message will automatically resend to their new phone.
Facebook, WhatsApp’s owner, says this allows people who use multiple phones to automatically pick up messages whenever they switch handset.
But privacy advocates warn the system could enable governments to convince WhatsApp’s owner Facebook to register the recipient’s phone number to a new device, so that the new device picks up the message history when it’s activated.
In this case, the sender would only be notified after the messages have been sent, and only if they activated a warning feature in WhatsApp’s settings.
Facebook introduced end-to-end encryption in WhatsApp last year, promising that neither itself nor a government agency could read the messages.
But Boetler, whose research was first reported by the Guardian, claims his findings challenge those claims.
“If WhatsApp was asked by a government agency to disclose its messaging records it can effectively grant access due to the change in keys,” Boelter told the paper.
In a blog, Boetler warned users concerned about their privacy to use Signal, an open source encrypted message service.
WhatsApp said in a statement: “In many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.
“WhatsApp does not give governments a backdoor into its systems and would fight any government request to create one. The design decision prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.
“WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.”