WhatsApp has a gaping security hole in the middle of its app. But it can be easily fixed.
An issue with the way that the app deals with the security keys central to its encryption mean that people can actually spy on messages, one security researcher has found. End-to-end encryption is intended as a way of ensuring that messages can only be read by the sender and their intended recipient, but the encryption keys that power that technology can be a weak link if they are wrongly used.
WhatsApp's implementation of end-to-end encryption – which is a large part of the company's focus on privacy and security – uses the widely-respected Signal protocol. That protocol relies on unique security keys that are swapped between users so that each device can check that they are sending and receiving messages to and from the right one.
But WhatsApp can force users to change those keys, and they won't be made aware. That means theoretically a hacker would be able to poke around messages without the app knowing that someone else is actually reading them.
The problem means that WhatsApp's encryption can be circumvented, allowing people to look in on messages, the Guardian reported. But the issue isn't necessarily new and the means to fix it are present within the WhatsApp app.
It isn't clear why the option isn't turned on by default, but it is probably because it is thought to be rare that people would look to exploit the issue and because any messages would probably mostly serve to be confusing. But turning it on is easy and the notifications are simple.
The option is found by opening up WhatsApp and heading to the Settings menu by clicking the cog. In there, click account and then Security – that page has just one option, "Show Security Notifications", and they are turned on from there.
Once that option is switched, the app will alert you every time a key changes. In most cases, that will probably be nothing to worry about – the app changes those keys when someone gets a new phone, for instance – but will serve as an alert if something is amiss with the app.
The change doesn't actually stop the messages coming through, and so if the notification is triggered unexpectedly it is best to stop chatting until a secure method of chatting can be established instead.
On that same page, WhatsApp explains the function of the notifications. "Turn on this setting to receive notifications when a contact's security code is changed," it writes. "The messages you send and your calls are encrypted regardless of this setting, when possible".
That "when possible" refers to the fact that WhatsApp only enables encrypted chats when both people communicating are on an up-to-date version of the app. If that is in place, the app shows a yellow label alerting its users to it.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies