The messenger service WhatsApp no longer has access to the more than 100 billion daily messages on its platform, a comprehensive security test funded by the Swiss National Science Foundation (SNSF) has concluded. One identified weakness can be resolved with a strong password.
This content was published on
3 minutes
Keystone-SDA/ts
Español
es
Una prueba de seguridad de WhatsApp detecta un punto débil
An end-to-end encryption is used to ensure the confidentiality of WhatsApp. However, until recently, the automatic backup of the chats did not offer the same security, according to a statementExternal link by the SNSF. This is because the personal key to the data stored in the cloud was known to the company.
“Backups were safe from everyone apart from WhatsApp itself,” said Julia Hesse, a cryptographer from the IBM Research Institute in Zurich who has received funding from the SNSF.
This could also be why the messenger service launched a new backup protocol at the end of 2021, which Hesse and researchers from the federal technology institute ETH Zurich and the University of Wuppertal in Germany have now examined in detail. The study showed that the company itself is no longer able to access the backups.
The study found that with the new system the copy of the key is no longer stored at the company but on a separate, particularly secure computer to which WhatsApp has no access and whose code cannot be subsequently changed.
If a user loses their smartphone, they can now access the key themselves by entering a password and restore their own chats.
“It’s like the key is stored in a chest that can only be opened with the password,” Hesse said.
The protocol also protects the backup from “brute force” attacks, which keep trying passwords until they find the right one. “Even if a powerful attacker manages to gain control of the WhatsApp servers, the system would only allow them ten attempts, after which the key would be destroyed,” Hesse said. But the data is then lost for the user too.
Password vulnerability
However, the researchers discovered a possible vulnerability: in normal operation mode the system deletes old versions of the backup when a new version is created, such as when changing the password.
“An attack on WhatsApp or elsewhere could result in the old versions being retained, meaning that another ten attempts would be possible for each existing version,” Hesse said. But this loophole can be closed by choosing a strong password. “If, rather than taking their Swiss postcode, the user chooses eight characters with a special character, it doesn’t matter whether the attacker has ten or 200 goes.”
More
More
How a Swiss programme is teaching online privacy to children
This content was published on
Swiss data protection officials say young children should be taught about data security and privacy, before they use the internet.
Switzerland invites 160 delegations to June Ukraine peace talks
This content was published on
Russia is currently not among the delegations invited to talks aimed at helping bring about peace in the conflict between Moscow and Ukraine.
Survey: air travel most popular way to go on holidays for Swiss
This content was published on
Despite the climate crisis, flying is the most popular mode of transport for private travel – particularly among young, urban and high-income travellers.
Swiss government to use phone data to identify asylum seekers
This content was published on
From April 2025, authorities plan to be able to analyse data from mobile phones, computers and other data carriers to identify asylum seekers.
Young undocumented migrants gain easier access to vocational training
This content was published on
Rejected asylum-seekers and young undocumented migrants in Switzerland will have easier access to basic vocational training from June 1.
Migration: Swiss government wants to shorten reunification period for families
This content was published on
Family members of people temporarily admitted to Switzerland should in future be able to join them after two years instead of three.
This content was published on
2023 was a record year for the Rhaetian Railway in several respects. Never before has the narrow-gauge railway in Graubünden, eastern Switzerland, transported so many passengers and cars.
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.
Read more
More
Switzerland ticks differently with social media laws
This content was published on
Fake news, conspiracy theories, censorship: the reputation of social media seems at an all-time low. Can it ever be a boon for democracy again?
Cyber expert warns of dangers of unregulated social media
This content was published on
Marietje Schaake, president of the Cyber Peace Institute, talks to SWI swissinfo.ch about the unprecedented challenges in our digital era.
You can find an overview of ongoing debates with our journalists here . Please join us!
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.