WhatsApp, the most popular (aside from Messenger) messaging app in the world used by billions of people from around the globe, might not be as secure as WhatsApp owners claim it is.

WhatsApp Messenger 2.17.1

If you remember, WhatsApp introduced end-to-end encryption less than a year ago, in April 2016. The security feature meant that only sender and recipient could read each other’s messages and that no one else could access them. Facebook (who bought WhatsApp in 2014 for $19 billion) claimed that even the company’s staff can’t access messages.

The recent research conducted by Tobias Boelter, cryptography and security researcher at the University of California, Berkeley, found out that WhatsApp messages aren’t safe as we thought they are.

According to the research, the encryption protocol implemented in WhatsApp can be altered by a third party, and both the sender and the recipient don’t have to know anything about it. In other words, if for instance, a government security agency asks WhatsApp to give them access to messages of certain users, they can do that without any problem.

Boelter stated for The Guardian that “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.” This is a serious security concern, and could also mean WhatsApp and Facebook have been false advertising the encryption features.

The end-to-end encryption used by WhatsApp was developed by Open Whisper Systems. The encryption uses unique security keys from the Signal protocol, but WhatsApp features a change in the encryption protocol not used by other apps featuring the same security protocol. The Signal protocol is recommended by Edward Snowden, and unlike the version used by WhatsApp, the original security protocol doesn’t have a security backdoor.

Boelter explained that “[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”

WhatsApp spokesperson responded to Boelter’s claims by stating that “In WhatsApp’s implementation of the Signal protocol, we have a “Show Security Notifications” setting (option under Settings > Account > Security) that notifies you when a contact’s security code has changed. We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”