FLAWS in the way that WhatsApp deals with encryption keys leaves users wide open to man-in-the-middle attacks, enabling third-parties to tap their communications.
The flaw has been described as a "security back door" by The Guardian and privacy campaigners (not unlike the back doors that governments of various stripes have been trying to mandate on all internet communications by law), but more sobre voices have described it as a minor bug and criticised The Guardian for going OTT.
Nor is it new. Vulnerabilities in key handling were first discovered by German computer scientist Tobias Boelter in April 2016.
The security flaw relates to situations where encryption keys are dropped and have to be re-issued and re-sent. In certain circumstances, a third-party could exploit the bug to persuade the app to resend messages because the authenticity of re-issued keys is not verified in WhatsApp by default.
While the bug is genuine, and Facebook's insouciance towards fixing it mystifying, The Guardian has also come under fire for its over-the-top reporting. It claimed it as an exclusive despite the fact that Boelter had openly written about it in his blog in April last year. Boelter blamed the bug on the use of closed-source software, rather than a deliberately inserted back door.
At the time, Facebook claimed that it was aware of the bug and implied that it may - or may not - fix it, depending on how it felt.
Cryptographer Frederic Jacobs described the hyperbole surrounding the security flaw as "ridiculous". He continued: "If you don't verify keys, authenticity of keys is not guaranteed. Well-known fact."
IT security consultant David Wind, meanwhile, who writes the SlashCrypto blog, agreed: "A researcher discovered, that WhatsApp (or Facebook) could force the WhatsApp mobile client to generate new encryption keys. Due to this, WhatsApp would be able to intercept the key exchange and - of course - would be able to intercept the messages."
Wind continued: "This is how a man-in-the-middle attack works and it only works when both parties - which are communicating with each other - do not verify the fingerprints of the exchanged keys."
WhatsApp (and Signal) use a concept called 'trust on first use', he added, which means that "when a key is exchanged, this key is trusted as long as the key does not change". However, WhatsApp's default settings only notifies the end-user when the key is changed and carries on regardless, whereas Signal will block all outgoing messages until a user manually verifies the key in person, wrote Wind.
"This is not a backdoor, this is a default setting of WhatsApp and everybody is able to opt-in the feature which blocks message sending when the key material changes," he concluded.
Facebook has also been unusually forthright in its condemnation of The Guardian story.
In a statement emailed to INQ this afternoon, it said: "The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a 'backdoor' allowing governments to force WhatsApp to decrypt message streams.** This claim is false.**
"WhatsApp does not give governments a 'backdoor' into its systems and would fight any government request to create a backdoor. The design decision referenced in The Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.
"WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.
That's about as close to calling The Guardian's story 'fake news' as possible without sounding like Donald Trump. µ
Coming tomorrow: Bug report Thursday
Privacy-aware office worker slams 'authoritarian' AFR tech
Flagship packs a 6.26in screen, quad-cameras and, er, Android Pie