UK-based publication The Guardian published a report on Friday pointing a finger at WhatsApp and its purported backdoor vulnerability, which by The Guardian's claim allows the Facebook-owned messaging service to snoop on users' personal data — specifically, encrypted messages.
As soon as the article went live, however, security experts expressed suspicion over the publication's questionable claims targeting WhatsApp.
On the same day, Open Whisper Systems — the one responsible for WhatsApp end-to-end encryption service, as well as Signal, a secure messaging client — responded to the article via a blog post. The nearly 1,000-word fireback rebuffed the publication's claims, expressing sharp dismay over the report.
The Guardian's Claims
In the article, The Guardian claims that WhatsApp's end-to-end encryption setup contains a flaw — one that paves the way for a backdoor entry, which could allow government agencies to, as versed by The Guardian, "snoop" on users' personal data, a prospect all-too-pernicious to personal rights to privacy — at a time of heavy unrest in light of data breaches, no less.
The vulnerability occurs, as claimed by The Guardian's report, whenever one end sends a message to another end who is offline at the time of receipt. If that happens, end-to-end encryption becomes an impaired transaction, given that one of the two ends is nonexistent. This process renders new encryption keys for the recipient so the message may still be viewed should they hop back online.
The problem pointed out by the report is that WhatsApp doesn't alert its users about the shift in encryption keys and that the security of the message "in limbo" isn't ascertained until the other end reads it. This, The Guardian claims, allows WhatsApp's potential backdoor measures such as reading and intercepting messages.
Some security experts took to Twitter to suspect The Guardian of inaccurate reporting. One such expert was Frederic Jacobs, a person who had a hand in Signal with Open Whisper Systems.
"Of course, if you don't verify keys [Signal, WhatsApp, etc.] can man-in-the-middle your communications," said Jacobs. "It's ridiculous that this is presented as a backdoor. If you don't verify keys, authenticity of keys is not guaranteed. Well known fact."
The article cited Tobias Boelter, a UC Berkeley student who discovered the backdoor, whose findings The Guardian claims to have exclusively dug up. This is, however, false.
Boelter had already notified Facebook about the discovery as far back as April 2016, to which Facebook responded by calling the issue "expected behavior" and regarding it as a feature instead of a backdoor vulnerability.
The Guardian did not have an exclusive on Boelter's report. It had actually been published online early 2016, and at no point has it been taken down.
Reaching out to WhatsApp, the company told Mashable that The Guardian's claims are false, adding that it doesn't grant government agencies any form of backdoors into its system and that it would sharply rebuff such a request if it came up.
"The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks," said WhatsApp.
What's your take on all this end-to-end encryption business? Feel free to sound off in the comments section below!