WhatsApp claims to be one of the most secure messaging applications, and says it has the ability to encrypt so much that even its founders can not access the content.
However, there appears to be a backdoor that allows WhatsApp messages to be disclosed.
Tobias Boelter, a cryptographer and security researcher at the University of California, told Guardian "If WhatsApp is asked by a government agency to disclose its messages, it may grant access by changing the keys."
The cryptographer who discovered the backdoor on WhatsApp said that Facebook and others could potentially steal and read the "encrypted" messages of the application.
Facebook has meanwhile claimed that no one can intercept messages from WhatsApp, even the company's own staff. But the researcher seems to refute them.
WhatsApp uses end-to-end encryption that is supposed to produce unique security keys using the Signal protocol created by Open Whisper Systems.
The application provides offline users with encryption keys. The sender, on the other hand, can re-send encrypted messages with new keys. So it can send unsaved messages again.
The recipient has not been notified of the change in encryption, and the sender is only informed if he has chosen to receive encryption alerts and only after the messages have been resent. Specifically, this method of "re-encryption" gives access to WhatsApp to read the messages of each user.
Professor Kirstie Ball, one of the founders of the Center for Research into Information, Surveillance and Privacy, said that this backdoor is a "huge threat" to freedom of speech and " gold mine for security services ”, while some Twitter users warn people to stop using WhatsApp.
The application can resend messages that have not been delivered with a new security key, so the company's staff can access them. It seems that the backdoor is not connected to the Signal protocol since the Open Whisper Systems Signal messaging application has no security problem.
Facebook has reportedly been informed of the issue since April 2016. The company had then told the cryptographer that it was a known issue, and described it as "expected behavior".
Update: Saturday 14 January 6.51: The publication was updated to add the official responses to the allegations Guardian from Facebook and WhatsApp.