WhatsApp’s CEO Jan Koum has told TechGeek that a Dutch computer science student’s claims that all messages should be considered compromised are “inaccurate”, and that the entire story has been “sensationalised and overblown”.
The Dutch computer science student – Thijs Alkemade from Utrecht University – this week found several flaws in WhatsApp encryption. In his blog post, he explained that the app was reusing RC4 keys, which could potentially mean that messages can be deciphered by the attacker; and that its authentication methods were weak.
How bad is it? According to one security consultant, “it is very bad.”
“It’s an extremely bad flaw that lots of people know how to exploit,” Thomas Ptacek, a security consultant, told Ars Technica in a Twitter conversation. He also adds that the attack Alkemade wrote in his blog post was “the kind you have a kid write.”
“What it does is transform RC4 into a repeating-key XOR cipher,” Ptacek told Ars Technica’s Dan Goodin. “An attacker that knows any of the plaintext of one side of the connection can use it to recover plaintext of the other side. But also the whole message can be attacked statistically; the attack takes microseconds.”
Koum, however, downplays Alkemade’s assessment.
“WhatsApp takes security seriously and is continually thinking of ways to improve our product. While we appreciate feedback, we’re concerned that the blogger’s story describes a scenario that is more theoretical in nature. Also stating that all conversations should be considered compromised is inaccurate,” Koum wrote in an email.
“Basically, this is sensationalized and overblown. Please report responsibly and do more research.”
“We have a company to run.”