And it happens again to WhatsApp, being further embarrassed by researchers showing that they do not know how to implement encryption correctly. Recently Help-Net Security published an article about a Dutch Computer Science and Mathematics student (Thijs Alkemade) at Utrecht University has discovered how WhatsApp encrypts and authenticats its messages.
we know that not only does WhatsApp use the same (RC4) encryption key for the messages in both directions, but also the same HMAC key to authenticate messages.
The main problem being:
“But a MAC by itself is not enough to detect all forms of tampering: an attacker could drop specific messages, swap them or even transmit them back to the sender,”
But also points out that there is a simple solution which is using TLS. So in conclusion
- All WhatsApp users are still not safe
- Your messages can be sniffed out
- Your message can be decrypted
- Your only protection is to stop using WhatsApp
- Wait for WhatsApp to learn how Encryption works so they can implement it correctly
I’ll end this post with a quote from Thijs Alkemade:
“solution that has been reviewed, updated and fixed for more than 15 years, like TLS.”