Security experts criticize The Guardian article about WhatsApp ‘backdoor’
Several security experts have criticized the Guardian’s reporting of an alleged ‘backdoor’ in WhatsApp in a joint article. They believe that the newspaper acted irresponsibly by using this term.
The experts, including well-known names such as Matthew Green, Bruce Schneier and Jonathan Zdziarski, ask the newspaper to withdraw the piece. According to the signatories of the article, the vulnerability in WhatsApp cannot be described as a backdoor. They describe it themselves as a design choice by WhatsApp, something that the company also announced when the article was published. The vulnerability is also difficult to exploit.
The publication with the term ‘backdoor’ would have caused a lot of confusion, for example among journalists, activists and citizens. The security experts say there could be discussion about WhatsApp’s choice not to warn users before sending unsent messages. However, the choice would be justifiable. Frederic Jacobs, who worked on the Signal protocol underlying WhatsApp, also writes that it is a ‘reasonable choice’ or trade-off that should be made more often in the field of security.
For example, the secure chat app Signal chooses to warn users if unsent messages are delivered to a person whose security keys have been changed. The experts say that ease of use and the ability to communicate with a large group of people play a major role. Adding a warning in WhatsApp would not ensure that users become more secure, but rather that they switch to an unsafe variant without warnings such as SMS.
The vulnerability, which was labeled a ‘backdoor’ by The Guardian, was discovered by security researcher Tobias Boelter. This means that WhatsApp creates new keys for unsent messages, for example because the recipient is offline, and delivers the messages after all. This could be used by an attacker to discover the content of messages, including by impersonating the recipient through spoofing. The Guardian has planned some changes after the publication of its article and removed the term “backdoor”.