Security Community Technosociology sheds more light on the alleged WhatsApp security flaw explaining why it is not a big deal.

Edwin Chabuka Avatar

Quite recently the internet was set alight with the news of WhatsApp’s end-to-end encryption having a flaw that rendered it ‘unsafe’.

We say ‘unsafe’ in quotes as information has surfaced from the security community, Technosociology, shedding more light on this vulnerability and explaining why it is not a big deal.

In our recent article we explained how someone is able to access undelivered WhatsApp messages due to a compromise in WhatsApp’s implementation of the end-to-end encryption protocol.

So the long and short of it is that WhatsApp security is not as watertight and this is a known compromise that was put in place so that it would be as secure as possible but still stay user friendly as it is currently being used by billions of people.

How exactly is WhatsApp said to be unsafe?

If a message is sent to a user whilst they are offline, it will not be delivered until the user comes back online. If during this period the receiver (who is offline) changes their phone or sim, a new security key is generated  the next time they go online with which all pending messages are delivered and the sender is notified of this change in real time.

So during this time when the receiver is offline and messages are still undelivered, a hacker can have access to these undelivered messages using WhatsApps’ implementation of this protocol.

Now proper implementation of the security protocol (for example Signal) would block all messages that were pending until you (the sender) confirm the change in details with the receiver ensuring communication is restricted to relevant parties only.

Why the compromise is not a big deal.

Right off the bat we have the user friendly aspect. Having to confirm with your contacts of a change in security keys everytime they change phones or sim cards can be a very tedious process especially in this day and age where most people own more than one phone and more than one Sim.

However if you fear for your security after receiving a notification of a new security code you can always do the following:

  • Open the chat in question and view their details.
  • Tap on the Encryption.
  • A new security key will be generated and you can share this with the selected contact.
  • Alternatively if the contact is physically close to you they can scan the QR code to confirm the new security key.

Once again, if you are able to intercept messages you are ONLY going to be able to access messages waiting to be delivered. For a hacker to optimize on the window that occurs whilst the receiver is offline would require some swift hacking skills making it a complete gamble to obtain information of any value.

The hacking itself can only be performed by very skilled hackers meaning to say you would need to be an individual of ‘High Risk” for someone with such a high degree of hacking skills (Edward Snowden characters) to try and hack you.

Moreover if you are such a person of ‘High Risk’ you would already make use of more secure encryption methods like Signal.

This will make the chances of successful hacks very slim and purely a luck or coincidence affair.

WhatsApp is still rated as one of the most secure messaging applications and of the most popular messaging platforms and even with its compromises its still your best bet for the most secure, user friendly messaging application for the masses.

2 comments

  1. Sagitarr

    Yep, as you say “for the masses”.
    Security on the web is a very complex subject for the majority of especially Whatsapp users. Please make it clear that the best security is to avoid splashing all your secrets on these fora. There is a lot of data mining out there.

  2. G

    I have heard that people can hack whatsapp by copying a phones ime code and then putting it on another phone – then verifying the new whatsapp installation – (would need physical access to the phone) – wonder if whatsapp will deliver messages to two phones if this is done

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed