Recently, a new data security vulnerability was discovered in WhatsApp. Basically, the vulnerability allows a third party to intercept and read encrypted messages sent through the app.
Despite what may have been said in WhatsApp’s recent public statements, verifying fingerprints will not solve the problem, nor will checking the mailbox in WhatsApp’s settings panel.
The vulnerability explained
There are two main components in encrypted messaging: the public and the private key. The public key can be used to encrypt messages, and the private key is used to decrypt them.
When trying to read messages from your friend, the application needs to get your friend’s public key. WhatsApp solves this problem by storing the key on their central servers, and the app can download them automatically.
The issue surrounding the vulnerability is that the servers could potentially lie about the public keys. For example, instead of giving you your friend’s public key, it could give you a public key that belongs to a third party like the government, for example.
For better security, you have the option of verifying the provided key through your friend through a “security” code. However, when someone reinstalls WhatsApp or gets a new phone, a new public key is generated by the server.
It is common practice for you to be notified when this happens and given the option to verify the key again. In WhatsApp, however, you are not given this option, which is why this is considered a data security vulnerability.