Earlier this month, The Guardian published an article in which the paper explained how a backdoor vulnerability found in WhatsApp can be used by Facebook to collect user data, as well as sell the data to third-party companies and intelligence agencies.
Shortly after the article went online, many security experts expressed doubts about the accusations laid by The Guardian. The company responsible for WhatApp’s encryption system and the Signal Protocol, Open Whisper Systems, posted a blog post in which the company explained that security keys can change even in regular circumstances. For instance, every time a user reinstalls the app, or when she buys a new phone, security keys get changed. “One fact of life in real world cryptography is that these keys will change under normal circumstances. Every time someone gets a new device, or even just reinstalls the app, their identity key pair will change. This is something any public key cryptography system has to deal with. WhatsApp gives users the option to be notified when those changes occur,” the blog post reads.
The Guardian talked about how when a message is sent via WhatsApp while the recipient is offline, the end-to-end encryption system renders new encryption keys for the recipient, in order for the recipient to receive the message. This, according to The Guardian, can be used by third-party entities such as government intelligence agencies to intercept the data and to “snoop” in personal data of WhatsApp users. The whole thing is possible due to the fact that WhatsApp doesn’t inform users about the security keys change, thus enabling potential backdoor entry that can be used for reading and intercepting messages.
Frederic Jacobs, who worked at Open Whisper Systems, posted about the issue on Twitter:
It's ridiculous that this is presented as a backdoor. If you don't verify keys, authenticity of keys is not guaranteed. Well known fact.
— Frederic Jacobs (@FredericJacobs) January 13, 2017
Further, Tobias Boelter, a student at UC Berkeley, who apparently discovered the vulnerability, did that back in April 2016, and not recently, as The Guardian claimed. Boelter even notified Facebook shortly after discovering the vulnerability. Facebook answered him, explaining that the problem is “expected behavior” calling it a feature, not a backdoor vulnerability. WhatsApp told Mashable that “The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”
So, could a potential security threat be characterized as a feature? It looks that way, especially since The Guardian published the article as an exclusive, despite the fact that Boelter found about the potential vulnerability more than a half a year ago. His report surfaced online during the first half of 2016 in the form of two blog posts, meaning The Guardian came late to the party while saying that it was there first. What are your thoughts regarding this whole conundrum? Let us know in the comment section below.