BERKELEY (CBS SF) — A cryptographer at the University of California at Berkeley says he believes he found a security vulnerability with messaging service WhatsApp that could be exploited by those with access to the company’s servers.
After the Guardian ran an article about the potential vulnerability on Friday, WhatsApp released a statement calling what Boelter describes as a security vulnerability, a “design decision” that prevents millions of messages from being lost.
But Boelter told CBS San Francisco that he believes that to ensure end-to-end encryption, WhatsApp “should have fixed the flaw immediately after I reported it …”
“The implementation is flawed, so the guarantees of end-to-end encryption are not given. But it can be easily fixed,” Boelter said.
WhatsApp’s promise of end-to-end encryption, on which the company released a technical white paper last year, is very important to many of its over one billion users. But people who are living under oppressive regimes as well as potential whistleblowers are among those whose welfare – or lives – may depend on it.
Boelter explained the implications of the vulnerability he found, saying, “Can WhatsApp ‘wiretap’ and effectively read parts of future conversations? Yes.”
While WhatsApp maintains such functionality is a feature, Boelter says he hopes the company acknowledges it made the wrong security trade-off.
Open Whisper Systems, a San Francisco-based company which developed the Signal Protocol used by the WhatsApp messenger, published a blog post on Friday entitled, “There is no WhatsApp ‘backdoor.” But in the post, Open Whisper doesn’t refute Boelter’s claims.
After a frenzy of media attention, the Ph.D. student is not budging.
He told CBS San Francisco, “Trading this tiny bit of more usability for this security compromise is not a good trade. Having a lock on my apartment door is also inconvenient when I lock myself out, but that doesn’t mean that I leave my door unlocked day and night.”
By Hannah Albarazi – Follow her on Twitter: @hannahalbarazi.