The Guardian, a well known UK-based newspaper, is being heavily criticized by security researchers for publishing an unverified story on WhatsApp vulnerability. Reportedly, the news service published a report citing that it was possible to intercept encrypted messages on WhatsApp because the application contained a Backdoor.
The Guardian’s report claiming a security flaw may be exploited to allow Facebook and other services to intercept and access encrypted messages/communications on WhatsApp, the world famous and widely used instant messaging service is being touted as false by security researchers. Tobias Boelter, a security researcher and cryptography investigator, who was credited by the Guardian as the identifier of this security flaw.
A group comprising of 30 security researchers have now co-signed an open letter to mount pressure on the Guardian so that it retracts the false story asserting that the paper is trying ‘very concretely’ to endanger public. The security researchers who have co-signed this open letter include salient bigwigs of the security industry including The Tor Project’s Isis Lovecruft, cryptographer Bruce Schneier, Mozilla’s Katherine McKinley, security research Thaddeus T’Grugq’, security researcher and author Jonathan Zdiarski and Open Crypto Audit project’s Kenneth White.
Security researchers believe that the vulnerability pointed out by the Guardian is a minor one and poses an insignificant threat. It is related to the way WhatsApp handles essential retransmission for unread messages when the user changes SIM or phone card. The researchers opine that the threat is unlikely to cause any harm commenting that WhatsApp is a reliable messaging platform.
The academic responsible for organizing this open letter, Zeynep Tufekci, wrote in the letter that:
“Unfortunately, your story was the equivalent of putting ‘Vaccines Kill People’ in a blaring headline over a poorly contextualized piece. My alarm is from observing what’s been happening since the publication of this story and years of experience in these areas. You should never have reported on such a crucial issue without interviewing a wide range of experts.”
It is worth noting that WhatsApp immediately rejected the Guardian’s claim and stated that it isn’t possible for encrypted messages to be intercepted or read since new keys are being generated for offline users to make sure that the messages don’t get lost in transit. Moreover, the company noted that it never allows governments to receive backdoors into its systems and they will not give this authority to any government even if they are pressurized.
In a statement, WhatsApp explained that:
“The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”
The Guardian published a report which was based on the research carried out by independent researcher Boelter in April 2016. Boelter stated that he did inform WhatsApp’s parent company Facebook when he identified the Retransmission Vulnerability, but he received the reply that it was an “expected behavior.”
WhatsApp argues that the key retransmission method is the company’s deliberate ‘design decision’ which has been taken to curb the risk of messages being lost when the phone is switched, or SIM changed.
After numerous attempts, the Guardian finally responded with a detailed statement regarding the whole matter. The statement was provided to TechCrunch. The Guardian stated that the company was aware of the letter from Zeynep Tufekci and has “offered her the chance to write a response for the Guardian. This offer remains open and we continue to welcome debate.” The whole statement can be read here on TechCrunch.
Thanks to Guardian's irresponsible & baseless WhatsApp reporting, I'm flooded w reports of vulnerable folk switching to less secure options.
— Zeynep Tufekci (@zeynep) January 16, 2017
The newspaper has already made edits to the story before the publication of the open letter in which they changed the term backdoor with vulnerability and an editorial note was also added at the end of the edited article which read: “This article was amended following a further statement from WhatsApp, which said that it did not give governments a “backdoor” into its systems.”