Rap for crap WhatsApp trap flap: Yack yack app claptrap slapped

Computer security experts and cryptographers have accused The Guardian of overblowing what was claimed to be a backdoor in WhatsApp's encryption.

Zeynep Tufekci, an assistant professor at the University of North Carolina and associate at the Harvard University's Berkman Center for Internet and Society, wrote an open letter this week criticizing the newspaper for wrongly portraying the "vulnerability" as a "huge threat" to users.

The Graun's "exclusive" focused on the handling of public encryption keys by WhatsApp and a corner case in which a third party triggers the generation of new keys. This could, under specific conditions, allow an attacker to intercept and decrypt WhatsApp messages. This surveillance can be detected and stopped by users if they activate security notifications from the application's settings.

As El Reg noted, exploitation is non-trivial and is detectable. Now security researchers are taking journalists to task for incorrectly portraying the situation as gravely serious.

"The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off," Tufekci noted. "A debate on this trade-off is fine, but calling this a 'loophole' or a 'backdoor' is not productive or accurate."

The letter has already received endorsements from some of the biggest names in the infosec space, including Assistant Prof Matthew Green, Bruce Schneier, and Tor Project developer Isis Lovecruft.

In addition to objecting to the portrayal of the user-interface tradeoff as a "vulnerability," Tufekci's letter slaps down The Guardian for describing the design as being easy to exploit, and for recommending that users abandon WhatsApp for other messaging tools that, in many cases, would be easier for an attacker to compromise.

"Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people," the letter reads. "These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas."

Tufekci has urged the paper to retract and apologize for the story and ask reporters to consult security professionals for input on future information security articles. "Considering the stakes, security reporting must be measured and well-researched," the letter concludes.

"My unfortunate prediction is that the harm from your story will be real, widespread, and corrections and rebuttals likely minimally reported on." ®