A report in The Guardian claiming there's a "backdoor" in WhatsApp that could allow messages to be intercepted and read is being refuted by the Facebook-owned messaging service. According to the original report, security researcher Tobias Boelter found the vulnerability in April 2016 and reported it to Facebook.
Facebook responded by calling it "expected behavior" and therefore not something to be fixed. Boelter's findings were then reported on by The Guardian, which says it verified the vulnerability exists.
The alleged problem centers around WhatsApp's Signal implementation which can force new encryption keys to be generated for offline users. Boelter describes this as a "retransmission vulnerability" that could be used to steal messages.
WhatsApp fully denies the software has a vulnerability. Rather, the code in question is a feature that ensures messages don't get lost.
The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a "backdoor" allowing governments to force WhatsApp to decrypt message streams. This claim is false...The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.- WhatsApp
Other researchers have also pointed to WhatsApp's opt-in "security notifications" feature as a way to verify keys and ensure their messages are secure.
Moxie Marlinspike, founder of Open Whisper Systems and co-author of the Signal Protocol, disagreed with the characterization of this as a security flaw. He says the story was "supremely inaccurate."
0 Comments