The messenger service WhatsApp no longer has access to the more than 100 billion daily messages on its platform, a comprehensive security test funded by the Swiss National Science Foundation (SNSF) has concluded. One identified weakness can be resolved with a strong password.
This content was published on
3 minutes
Keystone-SDA/ts
Español
es
Una prueba de seguridad de WhatsApp detecta un punto débil
An end-to-end encryption is used to ensure the confidentiality of WhatsApp. However, until recently, the automatic backup of the chats did not offer the same security, according to a statementExternal link by the SNSF. This is because the personal key to the data stored in the cloud was known to the company.
“Backups were safe from everyone apart from WhatsApp itself,” said Julia Hesse, a cryptographer from the IBM Research Institute in Zurich who has received funding from the SNSF.
This could also be why the messenger service launched a new backup protocol at the end of 2021, which Hesse and researchers from the federal technology institute ETH Zurich and the University of Wuppertal in Germany have now examined in detail. The study showed that the company itself is no longer able to access the backups.
The study found that with the new system the copy of the key is no longer stored at the company but on a separate, particularly secure computer to which WhatsApp has no access and whose code cannot be subsequently changed.
If a user loses their smartphone, they can now access the key themselves by entering a password and restore their own chats.
“It’s like the key is stored in a chest that can only be opened with the password,” Hesse said.
The protocol also protects the backup from “brute force” attacks, which keep trying passwords until they find the right one. “Even if a powerful attacker manages to gain control of the WhatsApp servers, the system would only allow them ten attempts, after which the key would be destroyed,” Hesse said. But the data is then lost for the user too.
Password vulnerability
However, the researchers discovered a possible vulnerability: in normal operation mode the system deletes old versions of the backup when a new version is created, such as when changing the password.
“An attack on WhatsApp or elsewhere could result in the old versions being retained, meaning that another ten attempts would be possible for each existing version,” Hesse said. But this loophole can be closed by choosing a strong password. “If, rather than taking their Swiss postcode, the user chooses eight characters with a special character, it doesn’t matter whether the attacker has ten or 200 goes.”
More
More
How a Swiss programme is teaching online privacy to children
This content was published on
Swiss data protection officials say young children should be taught about data security and privacy, before they use the internet.
Train vs plane: would you take a direct train between London and Geneva?
Eurostar is planning to run direct trains from Britain to Germany and Switzerland from the early 2030s. Would you favour the train over the plane? If not, why not?
Art Basel 2025 registers numerous million-dollar sales on first day
This content was published on
Galleries at the prestigious Art Basel fair in Switzerland have registered numerous million-dollar sales on the first preview day on June 17.
Trust in Swiss news is rising, Reuters report shows
This content was published on
Trust in the news has increased in Switzerland, according to the Reuters Institute Digital News Report 2025. Almost half (46%) of adults who took part in a recent survey said they generally trusted Swiss news, up 5%.
Five Swiss diplomats leave Tehran as Israel-Iran war enters sixth day
This content was published on
Five Swiss diplomats left the Iranian capital with their families by land by their own means on Tuesday, a Swiss foreign ministry spokesperson has confirmed.
Ex-employee of Bank Pictet convicted of money laundering
This content was published on
The Geneva-based bank Pictet has been fined CHF2 million for shortcomings in its organisation which enabled a former asset manager to commit serious money laundering.
20 Minuten: last Swiss free daily to stop being printed
This content was published on
From the end of the year, there will no longer be a daily free newspaper in Switzerland: the TX Group is discontinuing the print version of "20 Minuten". Up to 80 full-time positions are to be cut in the editorial and publishing departments.
This content was published on
The Swiss population is in favour of compulsory military service and closer ties with NATO. These are the findings of the "Security 2025" study.
Irregular migration to Switzerland halves year-on-year
This content was published on
Irregular migration to Switzerland has decreased significantly. The figures from January to May show that only half as many illegal stays were recorded compared to the same period last year.
This content was published on
The United Nations High Commissioner for Refugees (UNHCR) is to cut around 3,500 jobs as a result of financial cuts linked in particular to US decisions. Hundreds of temporary contracts will also be cut, the UN agency said in Geneva on Monday.
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.
Read more
More
Switzerland ticks differently with social media laws
This content was published on
Fake news, conspiracy theories, censorship: the reputation of social media seems at an all-time low. Can it ever be a boon for democracy again?
Cyber expert warns of dangers of unregulated social media
This content was published on
Marietje Schaake, president of the Cyber Peace Institute, talks to SWI swissinfo.ch about the unprecedented challenges in our digital era.
You can find an overview of ongoing debates with our journalists here . Please join us!
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.