A major design flaw in the cryptographic implementation of messaging service WhatsApp would let hackers to decrypt captured messengers, a developer reveals.
Dutch developer Thijs Alkemade has found a flaw in the WhatsApp’s security as it implements the same key to encrypt outgoing and incoming messages between the client and the WhatsApp server.
Alkemade said that RC4 is a pseudo-random number generator [PRNG] that generates a stream of bytes, which are xored with the plaintext that is to be encrypted.
"By xoring the ciphertext with the same stream, the plaintext is recovered," Alkemade said.
In response to Alkemade findings, WhatsApp dismissed the claim that all its conversations were compromised.
WhatsApp spokesman was cited by PC World as saying that WhatsApp takes security seriously and is continually thinking of ways to improve the product.
"While we appreciate feedback, we’re concerned that the blogger’s story describes a scenario that is more theoretical in nature," he said.
"Also stating that all conversations should be considered compromised is inaccurate."
The issue currently exists on Nokia Series 40 and Android powered devices and while the devices powered by Apple’s iOS operating system are probable to be hit with the flaw.
"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort," Alkemade added.
"You should consider all your previous WhatsApp conversations compromised.
"There is nothing a WhatsApp user can do about this but except to stop using it until the developers can update it."
Recently, WhatsApp was also attacked by the Pro-Palestinian hackers and was redirected to defaced pages.
