Mike Snider, and Elizabeth Weise

USA TODAY

WhatsApp has a security bug that could allow encrypted messages to be intercepted from the popular messaging app that owner Facebook has said promises end-to-end encryption, security and privacy advocates say.

WhatsApp, acquired by Facebook in 2014, said last year that all communication, such as text messages, videos and other files, flowing through the service would be encrypted. The app has become hugely popular, with more than 1 billion users.

Around the time that WhatsApp announced its end-to-end encryption, cryptography and security researcher Tobias Boelter at the University of California-Berkeley contacted WhatsApp about a flaw he found in the app. He found that undelivered messages — perhaps because the receiver of the message was offline or had changed his or her phone number — could be intercepted either by an attacker or WhatsApp itself, he says.

FBI blacks out most details on hack of terrorist's iPhone

That's because WhatsApp makes new encryption keys for undelivered messages, and those could be intercepted by a third party that is not WhatsApp. WhatsApp itself, since it generates another version of the message, has it on its servers, too.

In an interview with The Guardian, Boelter said, “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

Boelter did a presentation on the WhatsApp vulnerability this year — a video is posted on Twitter — and wrote about the situation on his blog in May, saying that "next time, the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI."

He contacted Facebook and WhatsApp about the vulnerability in April 2016, and in May, Facebook told him the company was not "actively working on changing" it.

In a statement to USA TODAY, WhatsApp said, "The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a 'backdoor' allowing governments to force WhatsApp to decrypt message streams. This claim is false."

The appmaker "does not give governments a 'backdoor' into its systems and would fight any government request to create a backdoor," the statement continues. "The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report."

Boelter told USA TODAY in an email conversation that WhatsApp's claim that this "was intended as a feature ... is not a very good argument, as the security should be a top priority for them."

"Especially high-risk users who were relying on the end-to-end encryption of WhatsApp should be concerned since WhatsApp could’ve intercepted some of their sensitive messages," he said. "Concerned users should switch to a messenger where security is a higher priority, like the (open source) Signal messenger (from Open Whisper Systems) which I also use. ... Signal claims to store much less metadata on their servers than WhatsApp allows itself in their privacy policy. And Signal is just as easy to use as WhatsApp."

The potential government abuse "from this misuse of encryption with WhatsApp is alarming,” said Kevin Bocek, vice president of security strategy at Venafi, a company that secures cryptographic keys.

Companies need to have systems in place to protect and change keys quickly. “This is critical at a time when governments worldwide are attempting to break down and intrude on the use of encryption, to protect privacy — what has become a basic right for both people and machines worldwide,” he said.

WhatsApp has breached consumers' trust "as well as potentially the communications privacy of all of their users, depending on how widespread the practice of flipping encryption keys is," said Kirstie Ball, a professor at the Centre for Research into Information Surveillance and Privacy at the University of St. Andrews (Scotland). "This concerns users because it means that they have no guaranteed communications privacy on WhatsApp, so it is potentially a breach of their fundamental human rights."

Privacy advocates had been concerned with WhatsApp on another issue. In August 2016, WhatsApp said it would begin sharing data with Facebook as a way to better serve users and fight spam. The requirement that users opt out of the feature led privacy groups, including the Electronic Privacy Information Center, to file complaints with the Federal Trade Commission.

EPIC called the move an "unfair and deceptive trade practice." European Union Commissioner Margrethe Vestager said Facebook "gave us incorrect or misleading information during the investigation into its acquisition of WhatsApp."

EU: Facebook misled during investigation of WhatsApp deal

Follow USA TODAY reporter Mike Snider on Twitter: @MikeSnider.