It turns out that WhatsApp messages can be intercepted and read by governments or hackers, thanks to a security hole in the app.
This means that Facebook, which owns WhatsApp, and others, such as third-party hackers, could read encrypted messages because of the way WhatsApp's end-to-end encryption protocol is implemented, according to an investigation by The Guardian.
WhatsApp, which sells itself on its privacy and security, is often used by activists, dissidents and diplomats who believe it to be a secure way to communicate.
The security backdoor has been described as a “huge threat to freedom of speech” by privacy campaigners, who said it could be used by governments to snoop on users' messages. But Facebook said no one from the company could intercept WhatsApp messages.
WhatsApp's end-to-end encryption involves the generation of unique security keys through the use of the Signal protocol. These are then traded and verified between users to ensure communication is secure and can't be intercepted.
However, WhatsApp is able to force the generation of new encryption keys for offline users with neither the sender, nor the recipient knowing. It can then make the sender re-encrypt messages with the new keys and send them again if they weren't marked as delivered.
The recipient isn't notified about the new encryption keys and the sender is only notified if they've specifically opted-in to encryption warnings in settings, and only after the messages have been re-sent. Basically, this re-encryption and rebroadcasting means that WhatsApp could intercept and read users’ messages.
However, it's unlikely that anyone would be looking to exploit the issue and there's a quick fix. All you need to do is change your settings, reported The Independent.
Open your WhatsApp settings menu by clicking the cog. Then click Account and then Security – on that page there's one option, "Show Security Notifications", and then they're turned on.
With this setting switched on, WhatsApp will let you know every time a key changes. In the vast majority of cases there'll be nothing to worry about – for example, the app changes the keys when someone gets a new phone – but it'll let you know if something is wrong.
WhatsApp explains the function of the notifications as follows: "Turn on this setting to receive notifications when a contact's security code is changed." It adds: "The messages you send and your calls are encrypted regardless of this setting, when possible".
Update: WhatsApp sent the following statement: "The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams.** This claim is false.**
"WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report."
"WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report."