Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report

Earlier this month The Guardian reported what it called a "backdoor" in WhatsApp, a Facebook-owned instant messaging app. Some security researchers were quick to call out The Guardian for what they concluded was irresponsible journalism and misleading story. Now, a group of over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian's report fell short, and also asking the publication to retract the story. From the story: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a "loophole" or a "backdoor" is not productive or accurate. The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method. Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas. You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a "vaccines can kill you" story without interviewing doctors, and your defense seems to be, "but vaccines do kill people [through extremely rare side effects]."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Take a note of who is doing the requesting

[Opportunist]

Dude, take a look at what's happening here.

The "security hole" in question here is basically the same deal as you have with every other service where you can transfer your service to a new device. You know, you buy a new phone, then want to continue using your IM or whatever on the new phone... but with the new phone you'd also get to negotiate new encryption keys. And that means that all messages still in the queue would be lost, because they have been encrypted with your old key.

That's the whole "exploit" here.

There's plenty of reasons to distrust WhatsApp and even more reasons to avoid it like the plague, not the least of which being that it hands all data over to FB despite first claiming and vowing that it would never do that.

If THIS is your reason to distrust WhatsApp, you have bigger problems.