The messenger service WhatsApp no longer has access to the more than 100 billion daily messages on its platform, a comprehensive security test funded by the Swiss National Science Foundation (SNSF) has concluded. One identified weakness can be resolved with a strong password.
This content was published on
3 minutes
Keystone-SDA/ts
Español
es
Una prueba de seguridad de WhatsApp detecta un punto débil
An end-to-end encryption is used to ensure the confidentiality of WhatsApp. However, until recently, the automatic backup of the chats did not offer the same security, according to a statementExternal link by the SNSF. This is because the personal key to the data stored in the cloud was known to the company.
“Backups were safe from everyone apart from WhatsApp itself,” said Julia Hesse, a cryptographer from the IBM Research Institute in Zurich who has received funding from the SNSF.
This could also be why the messenger service launched a new backup protocol at the end of 2021, which Hesse and researchers from the federal technology institute ETH Zurich and the University of Wuppertal in Germany have now examined in detail. The study showed that the company itself is no longer able to access the backups.
The study found that with the new system the copy of the key is no longer stored at the company but on a separate, particularly secure computer to which WhatsApp has no access and whose code cannot be subsequently changed.
If a user loses their smartphone, they can now access the key themselves by entering a password and restore their own chats.
“It’s like the key is stored in a chest that can only be opened with the password,” Hesse said.
The protocol also protects the backup from “brute force” attacks, which keep trying passwords until they find the right one. “Even if a powerful attacker manages to gain control of the WhatsApp servers, the system would only allow them ten attempts, after which the key would be destroyed,” Hesse said. But the data is then lost for the user too.
Password vulnerability
However, the researchers discovered a possible vulnerability: in normal operation mode the system deletes old versions of the backup when a new version is created, such as when changing the password.
“An attack on WhatsApp or elsewhere could result in the old versions being retained, meaning that another ten attempts would be possible for each existing version,” Hesse said. But this loophole can be closed by choosing a strong password. “If, rather than taking their Swiss postcode, the user chooses eight characters with a special character, it doesn’t matter whether the attacker has ten or 200 goes.”
More
More
How a Swiss programme is teaching online privacy to children
This content was published on
Swiss data protection officials say young children should be taught about data security and privacy, before they use the internet.
Swiss foreign minister backs Berset at Council of Europe
This content was published on
Cassis described Berset as the "ideal candidate" to help the Council realise its aim of ensuring security and peace in Europe.
Gay conversion therapy banned in Swiss canton of Valais
This content was published on
On Thursday, the canton approved a new Health Act which includes a ban on therapies aimed at changing sexual orientation or gender identity.
This content was published on
Some aspects of pro-Palestine sit-ins have gone too far, but the right to protest and debate must be upheld, the student association has said.
Swiss LGTBIQ helpline: attacks more than doubled in 2023
This content was published on
Three organisations jointly operating a helpline have called for more awareness, action and funding to address discrimination.
This content was published on
Switzerland's economy grew slightly at the start of 2024, with growth in the service sector contrasting with weak growth in industry.
Swiss employment rate rises in first quarter of 2024
This content was published on
The number of women and foreign nationals in employment increased particularly strongly, the Federal Statistical Office said on Thursday.
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.
Read more
More
Switzerland ticks differently with social media laws
This content was published on
Fake news, conspiracy theories, censorship: the reputation of social media seems at an all-time low. Can it ever be a boon for democracy again?
Cyber expert warns of dangers of unregulated social media
This content was published on
Marietje Schaake, president of the Cyber Peace Institute, talks to SWI swissinfo.ch about the unprecedented challenges in our digital era.
You can find an overview of ongoing debates with our journalists here . Please join us!
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.