The Guardian report flagged the vulnerability in the messaging app WhatsApp. The report described the vulnerability as the backdoor that still exists, despite brought to attention prior. Despite being just another messaging app, WhatsApp has gained a lot of respect from security experts for its end-to-end encryption across the platform.
According to Tech Crunch, the security issue identified by Boelter, and reported on by the Guardian now following him giving a talk about it at the end of last month, concerns an aspect of WhatsApp’s Signal implementation that allows it to force the generation of new encryption keys for offline users.
This is described as a retransmission vulnerability by Boelter and claimed as a route for messages to be intercepted and read — and thus as a potential backdoor in WhatsApp’s end-to-end encryption.
WhatsApp Denies the Backdoor Characterization
However, WhatsApp denies the backdoor characterization, saying it’s a design decision relating to message delivery, with new keys being generated for offline users in order to ensure messages don’t get lost in transit.
The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a backdoor allowing governments to force WhatsApp to decrypt message streams. This claim is false, said a company spokesperson in a statement sent to TechCrunch.
WhatsApp does not give governments a backdoor into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report, it added.
Multiple commentators have raised their questions on this happening, and have identified the potential security loophole as “as important as a password”.