[Busec] WhatsApp default settings vulnerability

Sarah Scheffler sscheff at bu.edu
Fri Jan 13 16:40:11 EST 2017

This might be old news for some of you, but it was news to me.

TL;DR: If you use Signal, you're good.  If you use WhatsApp, you should set
the setting where it tells you if the recipient's key was changed while
they were offline, and also be aware that messages sent to people who are
offline may be re-encrypted under a different (!) key and sent without your
intervention.  Or switch to Signal.

Basically if you send a message in WhatsApp to someone who is offline,
WhatsApp can replace the public key of the person to whom you're sending
with a new one, and the messages you sent will be automatically
re-encrypted and sent under the new key.  Only after they are successfully
transmitted are you told that this key change happened, and even then only
if you check a little (non-default) box that says so.  It was explained a
little more sanely and with more pictures by the finder, Tobias Boelter
from Berkeley:

Apparently Facebook knows about this and isn't planning on changing
anything.  The finder of this vulnerability says
<https://tobi.rocks/2017/01/what-is-facebook-going-to-do-a-suggestion/> he's
pretty sure it was a bug, but also that they should claim that it wasn't
and that they just made a poor design choice, and change it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/20170113/6b6810fe/attachment.html>

More information about the Busec mailing list