WhatsApp, the free-to-use messaging application owned by Facebook, has spoken out after a security researcher claimed to have uncovered a 'backdoor' in its end-to-end encryption protocol that could allow secret communications to be intercepted and read.
The accusations, published in an "exclusive" report by The Guardian on 13 January, cited research compiled by Tobias Boelter, a cryptography researcher who said WhatsApp could "force" unique encryption keys to change and leave unsent messages open to man-in-the-middle attacks.
The report cited numerous privacy campaigners who said the alleged vulnerability could be exploited by governments or malicious threats. Yet security experts quickly rounded on the accusations, asserting the so-called 'backdoor' was actually a built-in feature.
In response, WhatsApp told IBTimes UK: "The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a 'backdoor' allowing governments to force WhatsApp to decrypt message streams. This claim is false.
"WhatsApp does not give governments a 'backdoor' into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks."
Alec Muffett, a former Facebook engineer, told Gizmodo: "When you swap phones, get a new phone, factory reset, whatever—when you install WhatsApp freshly on the new phone and continue a conversation, the encryption keys get re-negotiated to accommodate the new phone.
"[If] I am sending to you, and your phone is offline because your [battery] is flat, or you have no coverage, or something. Some messages 'back up' on my phone, waiting to talk to yours.
"The proposition is that this condition: backed-up messages, combined with someone colluding with Facebook, WhatsApp to 'fake' the 'person has a new phone' condition, can lead to the backed-up messages being re-encrypted and sent to the new, fake or colluded phone."
Security expert Frederic Jacobs, who previously worked with Open Whisper Systems, tweeted: "It's ridiculous that this is presented as a backdoor. If you don't verify keys, authenticity of keys is not guaranteed. Well-known fact."
Indeed, even in the initial Guardian report, WhatsApp maintained the so-called backdoor was no such thing. "We focus on keeping the product simple and take into consideration how it's used every day around the world," the firm stated.
"We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp," it continued. "This is because in many parts of the world, people frequently change devices and sim cards. In these situations, we want to make sure people's messages are delivered, not lost in transit."
A simple opt-in to fix the reported issue can be fixed by checking the WhatsApp security settings. One option, under account security, notifies users when a security key has been changed.