Security researcher Tobias Boelter has found a backdoor in WhatsApp that allows the company to read encrypted messages. WhatsApp has stated to be aware of the issue and won't fix it because it considers it to be 'expected behavior'.
"If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys," Boelter told The Guardian.
Facebook, who owns WhatsApp, has always stated that nobody can access encrypted WhatsApp messages, including employees of the company. Today's report proves that that statement isn't correct. Boelter discovered the backdoor in 2016 already and informed Facebook about the issue. The company replied to be aware of the issue and added it would not fix it because it's 'expected behavior'.
WhatsApp's end-to-end encryption uses unique encryption keys that are generated by the company itself. These are then exchanged and verified by the users. After the exchange, all messages are encrypted and can no longer be intercepted. But, WhatsApp has the possibility to force the generation of new keys for users that are offline and the recipient isn't made aware of this change. The sender is only notified if an encryption warning is enabled in the settings (Settings -> Account -> Security -> Show security indicators), and only after the messages have been resend.
Because the receiver has received a new key from WhatsApp, earlier sent messages have to be encrypted again with new keys. This includes all messages that haven't been marked as received (and therefore don't show two blue check marks in the app). At the moment the messages are encrypted again and sent, WhatsApp employees can intercept the messages and read them.
The news has caused a lot of uproar amongst WhatsApp users and several Twitter users have stated to quit using WhatsApp.
