It has been revealed that popular cross-platform IM service WhatsApp is flawed. A Dutch researcher claims that the company has not thought out its encryption solution as well as they should have and that users should be aware that their WhatsApp messages could be easily decrypted by attackers.
WhatsApp allows for free instant messaging between most android phones whilst connected to the internet.
WhatsApp has had its fair share of privacy security issues, and the company has implemented message encryption in August 2012, but has not specified what cryptographic method is used.
Thijs Alkemade, a Computer Science and Mathematics student at Utrecht University and Lead Developer for Adium, has discovered that not only does WhatsApp use the same (RC4) encryption key for the messages in both directions, but also the same HMAC key to authenticate messages. Essentially this means that a cyber criminal could drop specific messages, switch them or send them back to the sender- and detecting this level of tampering is not always possible.
Alkemade suggested that users “should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised,”, adding that WhatsApp users can’t do nothing to protect themselves – except to stop using the app until it can be updated to remove the flaws.