It turns out that if for some reason, if the recipient disconnects after the message is sent from the sender’s phone, WhatsApp generates a new security key. The first version of the encryption is deleted and the new key encrypts the message again a second time.
To «unlock» the message and «lock» it again with another password, WhatsApp will have access to your conversation and can even, in theory, read your messages if you want. The problem, according to Tobias, is not the protocol used by the application, but the way it is used.
Learn to use WhatsApp Web, we have created the best tutorial on the internet => Find out more >> by clicking on this link
The signal protocol was developed by Open Systems Whisper and is used in another application in encrypted messages, also called signal. This application is used and recommended by Edward Snowden, the former NSA analyst who revealed the US government’s spying methods to the world.
The signal, which uses the same encryption system, does not suffer from this security problem. If the recipient is not online during the conversation, the app simply warns that the message cannot be delivered, forcing the sender to write the message and resend it when the contact goes online.
That’s not what happens on WhatsApp.
The application can also notify you when the security key is changed, but this warning must be enabled in the application settings. However, there is no one to stop him. «If a country’s government asks WhatsApp to expose its log messages, what it can actually do by changing the security codes,» Tobias told British newspaper The Guardian.
The researcher also said that Facebook, the owner of WhatsApp, was informed of this breach in April last year. Agree with Tobias, but the company said it was «behavioral» and didn’t promise to do anything about it. This ruling was confirmed by other Guardian-sponsored organizations, such as EBOHR (European Human Rights Organization).
In a statement, WhatsApp said it was not aware of this fact and pointed out that users can be notified of the changes in the encryption protocol. “We know the most common reason this happened [el intercambio de claves de seguridad] it’s when you reinstall a user switchboard or WhatsApp, «the company said.
«In many parts of the world, people frequently change phones and SIM cards. In these situations, we want to make sure that messages are delivered and not lost along the way.WhatsApp also said. The statement, however, does not confirm whether or not the company can read users’ messages thanks to this key exchange system.
It is not the first time that the privacy promised by WhatsApp has been kept in check by one’s actions. Last year, the app said it would share with Facebook user data. The company was prosecuted by the European Commission due to the change.
In Brazil, the service has been blocked more than once in recent years by judges who wanted WhatsApp to know the data of the people under investigation. At all times, the company claimed that it was unable to access user conversations. If Tobias’ allegations are true, it is concluded that WhatsApp could have, yes, delivered to Brazilian justice what he had asked for before being blocked.