Critical WhatsApp crypto flaw threatens user privacy, researchers warn

A security researcher said he has found an encryption flaw that makes it possible for adversaries to decrypt communications sent with WhatsApp, a cross-platform smartphone app that processes as many as 27 billion instant messages each day.

WhatsApp developers say messages are "fully encrypted," and company CEO Jan Koum told Ars that Tuesday's vulnerability report is "sensationalized and overblown." But a computer science student at Utrecht University in the Netherlands—and several cryptographers who have reviewed his work—said the app appears to contain long-documented weaknesses, including the use of the same encryption key on both sides of a conversation. As a result, they said, it's not hard for cryptographers to decrypt WhatsApp messages that travel over Wi-Fi networks or other channels that can be monitored.

"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort," Utrecht computer science and mathematics student Thijs Alkemade wrote in a blog post published Tuesday. "You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this... except to stop using it until the developers can update it."

Read 9 remaining paragraphs | Comments