Saturday, January 14, 2017

Backdoor in Whatsapp



Most Security Experts argued, "It's not a backdoor, rather it’s a feature," but none of them denied the fact that, if required, WhatsApp or a hacker can intercept your end-to-end encrypted chats. 

Many of People thinks that End-To-End is only the most powerful way to protect users message.

But Recently a Security Researcher founder a backdoor in whatsapp which allow Hackers to read all unrecevied Message.

No doubt most of the encrypted messaging services generate and store private encryption key offline on your device and only broadcast the public key to other users through the company's server.


How this works 



Suppose user A and B want to chat, and for which WhatsApp has automatically exchanged their public keys through its server.

Now every message sent from user A will get encrypted using the private key of A and the public key of B, which can be decrypted by user B only, using the public key of A and the private key of B.

Suppose: User B is offline, and user A has sent some messages to user B. But meanwhile, for some reason, the user B had to change the device and reconfigured same Whatsapp account on it. A fresh installation will force user B to re-generate new public and private keys pair for the same account.

And, later, whenever user B will come online again, the device will receive rest of the undelivered messages sent by A.


But How user B can decrypt messages, which were supposed to be encrypted using the old public key of B?

That's because, when user B comes online again, Whatsapp automatically exchange new keys b/w users without informing them and to successfully deliver same messages, WhatsApp of A will re-encrypt them using the newly received public key of B.

This is where the backdoor relies in the whole mechanism!

If a hacker (suppose user C) intentionally replace the public key of B with its own, all undelivered messages will get automatically re-encrypted and delivered to C, which can only be decrypted by private key of user C (hacker).

And It's a well-known fact that usability and security are inversely proportional to each other, and choosing usability over security doesn't end well.


How to Protect Yourself


To prevent the possibility of MITM attacks, WhatsApp also offers a third security layer in its app using which you can verify the keys of other users with whom you are communicating.


0 comments:

Post a Comment