WhatsApp Security: make this change right now!

Martin Brinkmann
Jan 13, 2017
Updated • Jan 13, 2017

Security researchers found a backdoor in the popular messaging application WhatsApp recently that could allow WhatsApp to intercept and read user messages.

Facebook, the owner of WhatsApp, claims that it is impossible to intercept messages on WhatsApp thanks to the services end-to-end encryption. The company states that no one, not even itself, can read what is sent when both sender and recipient use the latest version of the application.

WhatsApp's end-to-end encryption ensures only you and the person you're communicating with can read what is sent, and nobody in between, not even WhatsApp. Your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read your message. For added protection, every message you send has a unique lock and key. All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages.

It turns out however that there is a way for WhatsApp to read user messages, as security researcher Tobias Boelter (via The Guardian) found out.

Update: In a statement sent to Ghacks, a WhatsApp spokesperson provided the following insight on the claim:

"The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. ** This claim is false. **

WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security
notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report. (https://govtrequests.facebook.com/)"

WhatsApp has the power to generate new encryption keys for users who are not online. Both the sender and the recipient of messages are not made aware of that, and the sender would send any message not yet delivered again by using the new encryption key to protect the messages from third-party access.

The recipient of the message is not made aware of that. The sender, only if Whatsapp is configured to display security notifications. This option is however not enabled by default.

While WhatsApp users cannot block the company -- or any state actors requesting data -- from taking advantage of the loophole, they can at least activate security notifications in the application.

The security researcher reported the vulnerability to Facebook in April 2016 according to The Guardian. Facebook's response was that it was "intended behavior" according to the newspaper.

Activate security notifications in WhatsApp

whatsapp security notifications

To enable security notifications in WhatsApp, do the following:

  1. Open WhatsApp on the device you are using.
  2. Tap on menu, and select Settings.
  3. Select Account on the Settings page.
  4. Select Security on the page that opens.
  5. Enable "show security notifications" on the Security page.

You will receive notifications when a contact's security code has changed. While this won't prevent misuse of the backdoor, it will at least inform you about its potential use.

WhatsApp Security: make this change right now!
Article Name
WhatsApp Security: make this change right now!
A security researcher found a backdoor in the popular messaging application WhatsApp recently that could allow WhatsApp to intercept and read user messages.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Rigr said on January 15, 2017 at 8:00 pm

    Moxie (one of the founders of the Signal protocol) has written an article about this:

    1. Dilandu said on January 16, 2017 at 1:28 pm

      His article is incomplete though.

      He failed to account for the fact that WhatsApp can catch entire conversations by correctly sending messages to the recipients, but not sending a “message delivered” notice to the sender and then resetting recipient key ON ITS OWN initiative, without the recipient having to change device or reinstall WhatsApp. Then the sender will auto-resend messages which can then be caught by Facebook or a government that forces Facebook to do it under gag order.

      Also WhatsApp is closed source, so it can do whatever it wants as long as it respects the Signal protocol. And it’s owned by Facebook, one of the biggest privacy invaders on earth. Both these facts mean that the app really really needs to come clean, if it wants to claim that it does secure end to end encryption. (= Facebook needs to secure this flaw.)

  2. Angelica said on January 15, 2017 at 6:15 pm

    What about audio and video messages? I am concerned more about those, as opposed to few lines I type. Why would I type when I can call, but can’t seem to find encryption being mentioned there…

    1. Dilandu said on January 16, 2017 at 1:31 pm

      It concerns any encrypted message, so videos and pictures too

  3. ShintoPlasm said on January 14, 2017 at 11:58 pm

    I still personally prefer Telegram. It’s easy to forget that TG has two modes: the ‘normal’ one which is secure enough for everyday purposes, and the ‘secret’ one which does seem to be a cut above many other messaging apps. I don’t think the MTProto protocol used by Telegram for these secret conversations has been cracked yet…

  4. Anon said on January 14, 2017 at 5:31 pm

    WhatsApp is not trusted anymore. Please use Ring, Zom, Kontalk or Conversations. This is a battle for human freedom.

  5. Bobo said on January 14, 2017 at 4:38 pm

    Bottom line: no such thing as secure or private anymore. If you really really reaaaally have to send a d**k pic to a girl, get your grandmoms old polaroid cam and then drive to the girls house and hand the polaroid to her. Then ASSUME she won’t show it to her girlfriends.. and we’re back at square one. =)

    Privacy, again is kinda flimsey.. why are we conserned? Are most of us international spies, druglords or hired hitmen? Or are we all just a bunch of idiots scared someone might know what’s lurking on our harddrives? Of course privacy is no issue if the only thing you ever do online is search for cookie-recipes..

    Again: It’s 1984 and nobody seems to notice.

    Call me a troll, call me anything you want. I’m just stating the obvious.

    A good saturday to all of you!

    1. Dumbass XIV said on January 14, 2017 at 8:45 pm

      “Give me six lines written by the most honest of men and I will find a reason to hang him.”
      – Cardinal Richelieu, an asshole who gets it

      People need to give more thought. Humans aren’t magically clever or reasoning soundly, good thinking is a skill, method is required. That’s what philosophy is all about and science too.

  6. Dhananjay said on January 14, 2017 at 6:58 am

    on my device security notifications was also not enabled by default and i think PRIVACY IS DEAD

    1. Yuliya said on January 14, 2017 at 2:52 pm

      Your privacy is dead when, or rather if, you decide to do so.

  7. ams said on January 13, 2017 at 10:52 pm

    “The sender, only if Whatsapp is configured to display security notifications.”

    This is not a complete sentence & I’m unsure what it means. Something about recipient being offline, encryption key being changed prior to reading… then this partial sentence again mentioning sender. Hmmm…

  8. James Dean said on January 13, 2017 at 10:14 pm

    Backdoor implies malicious intent. Putting that discussion aside, what remains is an actual, genuine way to man-in-the-middle supposedly end-to-end encrypted conversations, text, videos, photos.

    A scandal is the only way Facebook will make a move. For instance, the key renewal could be made such that it can only be triggered by the client, not by WhatsApp, which could hopefully reduce the possibilities of renewal to either:
    – Hacked device (In which case, end-to-end encryption is already defeated anyway)
    – Reinstalled WhatsApp
    – New SIM card (stupid data stealing trend to lock app accounts to phone numbers)
    – New phone

    Then, since renewals are rare, the sender can be prompted by default and asked whether or not they want their message resent; at which point I would confirm with my recipient if indeed he did something leading to key renewal.

  9. Tommy said on January 13, 2017 at 8:14 pm

    Calling it a backdoor is not accurate.
    It’s a vulnerability, but it’s there probably only for convenience*. Because let’s be real: your average Joe is completely clueless about any of that stuff (private key, public key…) so if WhatsApp showed a pop-up/confirmation dialog for every key change it could get annoying.
    With that said, I would personally not mind a confirmation or at least have an option to toggle that setting on/off.

    *The alternative being that it’s there for malicious purposes, but WhatsApp is closed sourced anyway. If they wanted to spy on people they could do it much more effectively in other ways.

  10. ilev said on January 13, 2017 at 7:35 pm

    No wonder there is a backdoor as the NSA funded Open Whisper/Signal .

    1. Rigr said on January 15, 2017 at 8:12 pm

      Haha, I hope you’re kidding :)

      Well, if we suppose it would be true, then the NSA have made a terrible job with implementing the backdoor in the protocol. Some recent audits: https://eprint.iacr.org/2016/1013.pdf

      The source code and a guide to reproduce the Android builds:

  11. Bobo said on January 13, 2017 at 5:50 pm

    And nobody cares. Using WhatsApp as a SECURE way to message, MUUUAAHHHAAAHHHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!!!!! Everything you ever clicked, typed, or thought about is resting firmly on Facebook servers, ripe for the NSA. Speaking of, WIRE, the “secure” swiss app, now requires GOOGLE SERVICES to run =) “Because we plan on delivering a premium option soon” So that’s how secure WIRE was. Lure users in with a good service, regain a good reputation. Then turn the tables completely. Is there ANY messaging app that’s still CLEAN? yeah SIGNAL do the same. Telegram is Russian, never trust Russia. Ever. Plus it’s filled with stickers and emojis and other garbage to lure youngsters in. I honestly think we have now arrived at 1984. Trust no one.

    1. hahaha said on January 14, 2017 at 3:08 am

      Quote from the movie –Terminator 5– : Lesson One, Trust No One.

      This should be Rule No. 1 when connecting to the internet nowadays.

      1. Tom Hawack said on January 14, 2017 at 1:12 pm

        My name is One, No One. Thanks for trusting me.
        I trust One, Some One. Forgot who.

        Saturday Afternoon Fever.

    2. David said on January 14, 2017 at 1:50 am

      Bobo is a Troll

    3. Clairvaux said on January 13, 2017 at 10:09 pm

      Saying Telegram should not be trusted because it is Russian is the same as saying Tor should not be trusted because it is American. And invented by the Navy to boot. And used by America’s spies (and all others) for their own anonymity needs.

      You could also say the Internet is American (it is) and invented by the American army (it was) therefore it should not be trusted. That’s what the Russian government says. The Russian government’s paranoïa is not a good basis for sane decisions.

      Also, Telegram was invented by a Russian dissident working against his government snooping activities, and he’s in exile.

      1. James Dean said on January 13, 2017 at 10:47 pm

        I think it was the CERN who “invented” internet. https://en.wikipedia.org/wiki/History_of_the_World_Wide_Web

        I agree with your reasoning though. Telegram or Kaspersky being Russian doesn’t mean they are that much more likely to be compromised than US software.

        What would be widely used (in Europe) IMs that have reliable end-to-end encryption, aside from WhatsApp ? It’s not feasible to have all our contacts download an obscure, super secure app.

    4. Anonymous said on January 13, 2017 at 8:59 pm

      >Trust no one.

      Ok, i’ll start with you.

  12. Ross Presser said on January 13, 2017 at 4:58 pm

    The Guardian report is getting a lot of pushback; many security researchers say there’s no backdoor.


    1. Corky said on January 14, 2017 at 11:42 am

      @James Dean, The law that’s recently come into effect in the UK doesn’t (afaik) prevent a company from fixing security flaws they discover, it does however make it illegal for an individual or company to disclose that security services may have hacker their system or program.

      Obviously it’s almost impossible to know if a security flaw has been inserted by the security services, potentially this makes the disclosing of any security flaws extremely risky as the individual or company could be taken to court for disclosing it, the investigatory powers act could have a chilling effect on the field of security research.

    2. James Dean said on January 13, 2017 at 10:40 pm

      There is a real vulnerability that can turn into exploitation by Facebook or a government. That’s what matters most.

      Isn’t the new law in UK allowing government to prevent a company from fixing selected pre-existing security flaws in their product ? Not sure, I may have misunderstood that part.

      Either way you have a flaw right here right now and it can be exploited so it should be fixed.

  13. Ron said on January 13, 2017 at 3:36 pm

    Security researchers found a backdoor in the popular messaging application WhatsApp recently that could allow WhatsApp to intercept and read user messages. Facebook, the owner of WhatsApp,

    Why doesn’t this surprise me?

  14. CHEF-KOCH said on January 13, 2017 at 2:21 pm

    This option seems to be enabled by default.

    Btw Martin how about getting WhatsApp news from Ghacks? Similar like an RSS feed just in WhatsApp?

    1. Gabriel said on January 13, 2017 at 7:44 pm

      It wasn’t enabled on my Android device by default.

    2. Martin Brinkmann said on January 13, 2017 at 2:42 pm

      It was not enabled on my device by default, and the Guardian article states it is not as well.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.