Tag: Security Vulnerability
But unlike a Xen flaw in 2014, this time public cloud providers do not have to reboot all their servers.
The security researcher cited in the report acknowledged that the word 'backdoor' was probably not the best choice.
WhatsApp this week denied that its app provides a "backdoor" to encrypted texts.
A report published Friday by The Guardian, citing cryptography and security researcher Tobias Boelter, suggests a security vulnerability within WhatsApp could be used by government agencies as a backdoor to snoop on users.
"This claim is false," a WhatsApp spokesman told PCMag in an email.
The Facebook-owned company will "fight any government request to create a backdoor," he added.
WhatsApp in April turned on full end-to-end encryption—using the Signal protocol developed by Open Whisper Systems—to protect messages from the prying eyes of cybercriminals, hackers, "oppressive regimes," and even Facebook itself.
The system, as described by The Guardian, relies on unique security keys traded and verified between users in an effort to guarantee communications are secure and cannot be intercepted. When any of WhatsApp's billion users get a new phone or reinstall the program, their encryption keys change—"something any public key cryptography system has to deal with," Open Whisper Systems founder Moxie Marlinspike wrote in a Friday blog post.
During that process, messages may back up on the phone, waiting their turn to be re-encrypted.
According to The Guardian, that's when someone could sneak in, fake having a new phone, and hijack the texts.
But according to Marlinspike, "the fact that WhatsApp handles key changes is not a 'backdoor,' it is how cryptography works.
"Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system," he wrote.
"We appreciate the interest people have in the security of their messages and calls on WhatsApp," co-founder Brian Acton wrote in a Friday Reddit post. "We will continue to set the record straight in the face of baseless accusations about 'backdoors' and help people understand how we've built WhatsApp with critical security features at such a large scale.
"Most importantly," he added, "we'll continue investing in technology and building simple features that help protect the privacy and security of messages and calls on WhatsApp."
In a blog post, Boelter said The Guardian's decision to use the word "backdoor" was probably not "the best choice there, but I can also see that there are arguments for calling it a 'backdoor.'" But Facebook was "furious and issued a blank denial, [which] polarized sides.
"I wish I could have had this debate with the Facebook Security Team in...private, without the public listening and judging our opinions, agreeing on a solution and giving a joint statement at the end," Boelter continued.
In an earlier post, Boelter said he reported the vulnerability in April 2016, but Facebook failed to fix it.
Boelter—a German computer scientist, entrepreneur, and PhD student at UC Berkeley focusing on Security and Cryptography—acknowledged that resolving the issue in public is a double-edged sword.
"The ordinary people following the news and reading headlines do not understand or do not bother to understand the details and nuances we are discussing now. Leaving them with wrong impressions leading to wrong and dangerous decisions: If they think WhatsApp is 'backdoored' and insecure, they will start using other means of communication. Likely much more insecure ones," he wrote. "The truth is that most other messengers who claim to have "end-to-end encryption" have the same vulnerability or have other flaws. On the other hand, if they now think all claims about a backdoor were wrong, high-risk users might continue trusting WhatsApp with their most sensitive information."
Boelter said he'd be content to leave the app as is if WhatsApp can prove that "1) too many messages get [sent] to old keys, don't get delivered, and need to be [re-sent] later and 2) it would be too dangerous to make blocking an option (moxie and I had a discussion on this)."
Then, "I could actually live with the current implementation, except for voice calls of course," provided WhatsApp is transparent about the issue, like adding a notice about key change notifications being delayed.
After weeks of going back and forth verifying what the exact bug was and how it was exploited, Facebook said it would award him $5,000 for the discovery.
And on Tuesday it did. The bug was tied to the user-generated Facebook Groups feature that allows any member to create an affinity group on the social network’s platform.
DeVoss discovered as an administrator of a Facebook Group he could invite any Facebook member to have Admin Roles via Facebook’s system to do things such as edit post or add new members. Those invitations were handled by Facebook and sent to the invited recipient’s Facebook Messages inbox, but also to the Facebook user’s email address associated with their account.
In many cases users choose to keep their email addresses private.
Facebook said it has implemented a fix to prevent the issue from being exploited. DeVoss, a software developer in Virginia, said this is the largest bug bounty payment he has ever earned. He told Threatpost he participates in a number of bug bounty programs including Yahoo’s and the Hack the Pentagon program. For its part, in October Facebook announced it has paid out more than $5 million to 900 researchers in the five years since it implemented its bug bounty program.
The company said it paid out $611,741 to 149 researchers in the first half of 2016 alone. Facebook was one of the first websites to launch a bug program when it followed in the footsteps of both Mozilla and Google in August 2011. In February, the company paid $10,000 to a 10-year-old boy from Finland after he discovered an API bug in the image sharing app Instagram, which Facebook bought for $1B in 2012. The company awarded $15,000 to Anand Prakash in March for a bug allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force password attack.