All conversations through the hugely popular WhatsApp text messaging application should be considered compromised, according to a computer science student who says he found encryption flaws in the app.
WhatsApp was pitched as an alternative to SMS and was so popular that in June it processed a whopping 27 billion messages in 24 hours.
Now Thijs Alkemade (@xnyhps), a maths student at Utrecht University in the Netherlands and lead developer of instant messaging client Adium, has said the Android and Nokia versions of WhatsApp were vulnerable, and added other clients were likely affected.
"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort," Alkemade wrote in a post.
"You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this except to stop using it until the developers can update it."
WhatsApp did not immediately respond to a request for comment. Its site was this week attacked by a pro-Palestinian defacement crew (@KdmsTeam) and remained offline at the time of writing.
Alkemade claimed the problem was that WhatsApp used the same RC4 key in both directions meaning an attacker with access to a victim's multiple messages could decipher its plaintext.
"Lets recall how RC4 is supposed to work: RC4 is a PRNG (pseudorandom number generator)that generates a stream of bytes, which are XORed (ciphered) with the plaintext that is to be encrypted. By XORing the ciphertext with the same stream, the plaintext is recovered."
"... if we have two messages encrypted with the same RC4 key, we can cancel the key stream out. As WhatsApp uses the same key for the incoming and the outgoing RC4 stream, we know that ciphertext byte i on the incoming stream XORed with ciphertext byte i on the outgoing stream will be equal to xoring plaintext byte i on the incoming stream with plaintext byte i of the outgoing stream. By XORing this with either of the plaintext bytes, we can uncover the other byte."
Further flaws were found in the way WhatsApp authenticated messages. The problem Alkemade said was that it did not use the plaintext sequence counter used in TLS to prevent tampering and it reused RC4 keys for hash-based message authentication codes.
"But a MAC by itself is not enough to detect all forms of tampering: an attacker could drop specific messages, swap them or even transmit them back to the sender," he said.