He keeps referring to the video encoding vulnerability in WhatsApp as a "backdoor". That is not supported by the source[1] he cites, which instead refers it to as run-of-the-mill buffer overflow vulnerability. There is massive difference here - backdoor implies something that was planted purposefully. Extraordinary claims require extraordinary proof.
I don't think this post is fair in its assessment and seems more like an advertisement for Telegram, which itself has its own security issues (like lacking E2E encryption by default and terrible[2] code quality).
It probably isn't, but I don't think we can know whether it was on purpose or not.
If I had to put a backdoor in something, it'd definitely be a buffer overflow. It gives full remote code execution, it may be hard enough to find to be NOBUS, and it has perfect plausible deniability.
The underhanded C contest has many examples of malicious code that appear like plausible bugs. An intentional but rare buffer overflow would be a perfect backdoor.
As an aside, this isn’t true. There are many things right in front of us that we dismiss routinely, and “everyone knows” these things are extraordinary/insane/wrong and so on. Usually, if you spend the time to learn about such things you can discover that they’re very normal and provable, you just have to go against the crowd. That’s different from needing extraordinary evidence.
Primarily this seems to be due to disinformation efforts and plain old human biases.
WhatsApp is bad, but Telegram isn't great either. All chats that you haven't explicitly made "secret" are not end-to-end encrypted. They're apparently "encrypted", but the keys are controlled by Telegram.
Furthermore, they frequently "ban" channels that they deem contain "inappropriate" or "adult" content. Clearly they're reviewed by either humans or AI of some sort. So... that makes me uncomfortable.
Their reason for why you can trust them with encryption keys was "we didn't hand them over to <insert country here> and so they banned us where we could have cooperated and continued to have operating in said country", which seems like a pretty weak argument.
For truly decentralised, private and encrypted communication, I highly recommend matrix+riot.im.
EDIT:
> To support this idea, Pavel Durov claims that Telegram is banned in Russia and Iran, where both governments asked him for encryption keys to access the platform’s messages. Hence for refusing the proposal given by the governments of those countries, the app was banned.
Even if telegram hasn't handed over keys so far, the fact remains that the keys are still controlled by them and tomorrow if they wished they could read/expose/publish/share all "private" communication.
Think of it this way. If Bezos had been using telegram like is recommended in the article and the CEO of telegram wanted to spy on Bezos' chats, he would have totally been able to.
They say that chats don't have e2e by default so that they can be backed up to the cloud [0], but there's no reason why you can't back up encrypted chats and ask the user for a pin and decrypt them on-device.
Furthermore, telegram forces you to link your account with a phone number, and that acts as the primary (or only) form of authentication, opening you up to sim-jacking.
Also, this means that anyone who has your phone number is told you're on the app and given your username, which you may not want for privacy reasons.
Happened to us, we built a bot[1] to buy and sell bitcoins privately on Telegram. Someone messaged me saying that they would get a 'SCAM' label on our bot if we didn't pay them the ransom. We didn't comply and within a few days we got the label(guess they managed to get a lot of accounts on our bot to report scam). Their support team was unresponsive and it took around 3 weeks to get it resolved.
Needless to say, our users lost trust and we couldn't risk this happening again.
We still run the service(from request of a few existing users) but not actively promoting it.
> They're apparently "encrypted", but the keys are controlled by Telegram.
Yes, but they take steps to ensure they cannot easily be forced to decrypt chats via a court order in a single country. From the Telegram FAQ:
To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.
> Furthermore, they frequently "ban" channels that they deem contain "inappropriate" or "adult" content. Clearly they're reviewed by either humans or AI of some sort. So... that makes me uncomfortable.
AFAIK messages are only forwarded to Telegram support if they are reported by users. Chats spreading pornographic content are often banned on iOS due to the App Store guidelines (and in certain countries due to local laws), but illegal channels (e.g. CP) may be blocked globally.
> Also, this means that anyone who has your phone number is told you're on the app and given your username, which you may not want for privacy reasons.
This is not true anymore, a while ago they added new privacy settings that allow you to prevent others from finding you unless they are in your Telegram contact list. (Of course, this means if you don't want anyone in your phone's contacts to be able to find you on Telegram, you should deny the app contacts permission.)
It's my understanding that one reason people like Telegram is unlike Signal, you can use a username and hide your phone number. (Please correct me if this is incorrect, I don't know anyone who uses it so I stick to Signal)
Signal is the gold standard for confidentiality, but forcing folks to disclose a phone number as a primary identifier has privacy issues.
> Furthermore, telegram forces you to link your account with a phone number, and that acts as the primary (or only) form of authentication, opening you up to sim-jacking.
Linking phone or use it for 2FA should be like red light today. For Telegram, banking app, don't matter.
I understand that with MTProto 2 they stepped away from their homecooked crypto and follow a more traditional scheme which on the surface looks OK. It's still not the default (you must enter into a 'secret chat'), but if you do, isn't it acceptable? Telegram now is one of the last remaining clients that has excellent device support, its available for everything.
>>Furthermore, they frequently "ban" channels that they deem contain "inappropriate" or "adult" content. Clearly they're reviewed by either humans or AI of some sort. So... I don't like them much.
My understanding was that it isn't Telegram that bans them, but Apple that doesn't let certain channels be shown in the iOS app. Android and the web version show all channels.
> Also, this means that anyone who has your phone number is told you're on the app and given your username, which you may not want for privacy reasons.
You can disable that behavior in your privacy settings iirc
> Had Jeff Bezos relied on Telegram instead of WhatsApp, he wouldn't have been blackmailed by people who compromised his communications
You can have a healthy debate about whether Telegram is a better option than WhatsApp for the average Joe (I don't think it is, but that's just my opinion). Jeff Bezos is not the average Joe.
The idea Telegram somehow offers people like Bezos more protection than WhatsApp from nation state attacks is crazy. Pavel Durov is irresponsible for suggesting otherwise.
If you're a Bezos level target and Saudi Arabia wants your messages to blackmail you, they will get them. This is a country with effectively unlimited resources and no moral qualms. The app you're using is irrelevant.
At least WhatsApp has End to End encryption by default. I would be surprised if more than 1% of Telegram communications were similarly secure. I also find the constant mention of the vulns being "backdoors" disingenuous.
I'm a big fan of Telegram for its top notch bot support, but I'm flagging this submission.
I was put off at the very beginning of the article by the claim that it was a "backdoor". None of the sources I read even alluded to this, and in fact, it was, as far as I understood, a very "classical" buffer overflow problem.
But I went ahead with the article and it's just marketing spiel for Telegram. Basically based around FUD.
- Telegram offers opensource clients and WhatsApp doesn't.
- Casts doubt about the actual implementation of E2E encryption in WhatsApp. And his claim of "you can't be sure" is actually pretty wrong. There have been open-source clients (of limited success) but they still prove that it is indeed at least implemented.
- I think the author is missing the fact that WhatsApp's encryption is, technically, documented in a whitepaper that highlights all of the protocol and how to different tokens and keys are generated and recycled. Because he clearly thinks Telegram is the only one to document its encryption.
Overall, I love Telegram, I use it daily. I don't mind the lack of demonstrable privacy, because I really don't need it for what I do on Telegram. It's convenient and I love the cross-platform TRUE clients, none of that webapp packaging stuff (Seriously the QT client is amazing). But this is almost all wrong ...
This is a case of the pot calling the kettle back, to be honest. Telegram controls encryption keys centrally as well. If you want true end to end encrypted messaging then Signal is the way to go.
FWIW, I don’t understand the trend in open source projects to use Telegram for messaging given its closed source / proprietary origins.
A reminder, because this sometimes surprises people, and feel free to correct me if the facts have changed recently:
Telegram supports end-to-end encryption only in 1:1 private chats.
End-to-end encryption is disabled by default.
Telegram does not support end-to-end encryption, at all for group chats, its most popular use case.
Instead, Telegram claims that those group chats are "encrypted" by dint of the TLS connection between Telegram clients and the Telegram servers, which can, in this model, read all group traffic.
People like to dunk on the weirdness of the limited E2E crypto Telegram does have; it's archaic and idiosyncratic and people have published research results about it, though none to my understanding are of real practical impact. I support people dunking on bad crypto. But that has nothing to do with why Telegram is an inferior secure messenger.
By comparison, Signal, which Durov has repeatedly talked down:
* has modern, ratchet-based forward secure end-to-end crypto, always, in both group and private messaging;
* won the Levchin Prize, refereed by some of best-known names in academic cryptography, for the design and implementation of that cryptosystem, as well as for its implementation at WhatsApp;
* ha repeatedly foregone basic messaging app features simply to avoid collecting user metadata; Signal didn't even have user profiles until they could figure out a way to implement it in a privacy-preserving manner, and even their GIF sharing feature has a purpose-built anonymity system; we'll only this year potentially get usernames instead of phone numbers because it took that long to design a trustworthy social graph that didn't leave Signal with a giant pile of subpoenable metadata.
Reading this article, I was thinking that Durov was really over-exagerating when saying that WhatsApp plant backdoors, while it was simply security flaws.
But then I looked at the flaws, and that definitely raises questions. At least two of the flaws are in mp4 parsing done by WhatsApp itself, while both Android and iOS provide hardened platform tools for that.
There are two reasons you would want to do that:
- Increase security. Yeah that's a bit paradoxal considering what I said before, but it is possible you could want to do that, because Android devices are barely updated, and even though the mp4 parsing is hardened, there are known not fixed flaws on many devices.
If that was the intent, then the very first thing they would have done, is have this run inside a dedicated sandboxed process (Android allows that pretty easily), with no access to either the data or the internet.
Or they could have written it in a managed language, where the worst case of failed parsing is crashing/DoS-ing.
Or they could do it in rust of course :-)
- Increase compatibility with a wider range of mp4 files. As far as I know, mp4 support of those platforms should be good enough for most cases, but ok, let's say such a case exist, that means that they don't actually care about the security. As Durov say, they are using "end-to-end encryption" to say they are secured, but don't seem to care much past that.
I'm still not convinced those are actual purpose-built backdoors, but I will at least agree that security doesn't seem to be a core value of WhatsApp.
Last I tried WhatsApp it refused to let me use it without giving it access to my entire contact list. Even when “giving it access” to a blank list via PrivacyGuard, I couldn’t see a way to add a contact manually. That was a deal breaker for me.
Same. I had a visiting relative from overseas who needed to contact me and WhatsApp was their only means, but despite installing the thing and using my Google Voice Number to register, the thing refused to let me do anything without giving the thing carte blanche access to my contacts. No thanks. I had to ask my spouse to use her existing WhatsApp profile to contact the number.
There's zero technical reason why I can't have a silo'd list of contacts WITHIN WhatsApp. Facebook knows it. Fuck them.
You used to be able to set up different user profiles on Android - I set one up just for WhatsApp, and only WhatsApp contacts went in it.
I am dismayed to find that my new Android phone no longer has this feature, except as part of some bullshit "work profile" nonsense that apparently isn't possible for me to set up by myself, on my own phone. "You'll need a code from your IT admin", I'm told, and "a management tool will be downloaded and used by your IT admin to manage your work profile". Great.
Contact list access is literally THE thing that makes WhatsApp valuable to Facebook. You lock down that and they are now staring at a massive hosting bill with nothing in return.
> Telegram, an application used by hundreds of millions of people including heads of states and large companies, has had no issues of that severity in the last 6 years.
Sounds misleading no? Should rather say: no issues of that severity "reported" in the last 6 years.
He says this is a vulnerability in Whatsapp, rather than in iOS/Android-
But if a full-phone exploit is possible using the app, isn't that inherently an iOS/Android bug?
My understanding is that that an application should not have full access to the system.
I would expect that even if it were hacked/acting maliciously all you could pull is what the app already has access to.
Did they stack an iOS exploit on top of a WhatsApp bug?
(Using WhatsApp for remote execution, then a privilege escalation of some sort?)
WhatsApp is also quite user-hostile. For example:
(1) There is no way to stop being added to groups.
(2) There is no way to disable their calling service. I don't want people to call me on WhatsApp.
(3) If you've chosen not to give them your contact book, they have worsened the UX over time (for example, it only shows phone numbers now and not the display names they have set).
I use WhatsApp and generally trust Facebook when they talk about e2e (of course there will be bugs but Facebook has lots of eyes on them, are a huge public company with staffed security team, encryption has been tested in Brazil where they didn't have anything to hand over to the govt, have lots to lose by lying here and Metadata collection and WhatsApp business sound like a potential business). In my opinion the biggest issue is the backups. Everybody I know backs up the chats to icloud or Google drive (even if you don't your friends might) because it offers great convenience. These backups are not encrypted( well, encrypted with key with whatsapp) and hence is a weak link. In an e2e encryption system all we need is one weak link and this is imo the one. Hopefully whatsapp or Apple or Google solves it elegantly without too much hit on user convenience.
[+] [-] vesinisa|6 years ago|reply
I don't think this post is fair in its assessment and seems more like an advertisement for Telegram, which itself has its own security issues (like lacking E2E encryption by default and terrible[2] code quality).
1: https://www.techspot.com/news/82843-hackers-can-use-whatsapp...
2: https://www.reddit.com/r/androiddev/comments/cazz4h/why_tele...
[+] [-] pornel|6 years ago|reply
If I had to put a backdoor in something, it'd definitely be a buffer overflow. It gives full remote code execution, it may be hard enough to find to be NOBUS, and it has perfect plausible deniability.
[+] [-] ASalazarMX|6 years ago|reply
[+] [-] bfieidhbrjr|6 years ago|reply
As an aside, this isn’t true. There are many things right in front of us that we dismiss routinely, and “everyone knows” these things are extraordinary/insane/wrong and so on. Usually, if you spend the time to learn about such things you can discover that they’re very normal and provable, you just have to go against the crowd. That’s different from needing extraordinary evidence.
Primarily this seems to be due to disinformation efforts and plain old human biases.
[+] [-] rahuldottech|6 years ago|reply
Furthermore, they frequently "ban" channels that they deem contain "inappropriate" or "adult" content. Clearly they're reviewed by either humans or AI of some sort. So... that makes me uncomfortable.
Their reason for why you can trust them with encryption keys was "we didn't hand them over to <insert country here> and so they banned us where we could have cooperated and continued to have operating in said country", which seems like a pretty weak argument.
For truly decentralised, private and encrypted communication, I highly recommend matrix+riot.im.
EDIT:
> To support this idea, Pavel Durov claims that Telegram is banned in Russia and Iran, where both governments asked him for encryption keys to access the platform’s messages. Hence for refusing the proposal given by the governments of those countries, the app was banned.
From https://outline.com/BK8f7h
Even if telegram hasn't handed over keys so far, the fact remains that the keys are still controlled by them and tomorrow if they wished they could read/expose/publish/share all "private" communication.
Think of it this way. If Bezos had been using telegram like is recommended in the article and the CEO of telegram wanted to spy on Bezos' chats, he would have totally been able to.
They say that chats don't have e2e by default so that they can be backed up to the cloud [0], but there's no reason why you can't back up encrypted chats and ask the user for a pin and decrypt them on-device.
Furthermore, telegram forces you to link your account with a phone number, and that acts as the primary (or only) form of authentication, opening you up to sim-jacking.
Also, this means that anyone who has your phone number is told you're on the app and given your username, which you may not want for privacy reasons.
[0] https://telegra.ph/Why-Isnt-Telegram-End-to-End-Encrypted-by...
[+] [-] k_vi|6 years ago|reply
Needless to say, our users lost trust and we couldn't risk this happening again.
We still run the service(from request of a few existing users) but not actively promoting it.
[1] https://t.me/megadealsbot
[+] [-] nyuszika7h|6 years ago|reply
Yes, but they take steps to ensure they cannot easily be forced to decrypt chats via a court order in a single country. From the Telegram FAQ:
To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.
https://telegram.org/faq#q-do-you-process-data-requests
> Furthermore, they frequently "ban" channels that they deem contain "inappropriate" or "adult" content. Clearly they're reviewed by either humans or AI of some sort. So... that makes me uncomfortable.
AFAIK messages are only forwarded to Telegram support if they are reported by users. Chats spreading pornographic content are often banned on iOS due to the App Store guidelines (and in certain countries due to local laws), but illegal channels (e.g. CP) may be blocked globally.
> Also, this means that anyone who has your phone number is told you're on the app and given your username, which you may not want for privacy reasons.
This is not true anymore, a while ago they added new privacy settings that allow you to prevent others from finding you unless they are in your Telegram contact list. (Of course, this means if you don't want anyone in your phone's contacts to be able to find you on Telegram, you should deny the app contacts permission.)
[+] [-] rorykoehler|6 years ago|reply
[+] [-] dontbenebby|6 years ago|reply
Signal is the gold standard for confidentiality, but forcing folks to disclose a phone number as a primary identifier has privacy issues.
[+] [-] paulcarroty|6 years ago|reply
Linking phone or use it for 2FA should be like red light today. For Telegram, banking app, don't matter.
[+] [-] onebot|6 years ago|reply
[+] [-] jszymborski|6 years ago|reply
But in terms of getting less technical people on board (frankly, often the sort to go to WA anyhow), I deeply suggest Signal.
[+] [-] brnt|6 years ago|reply
[+] [-] eptcyka|6 years ago|reply
[+] [-] gadders|6 years ago|reply
My understanding was that it isn't Telegram that bans them, but Apple that doesn't let certain channels be shown in the iOS app. Android and the web version show all channels.
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] hackerbeat|6 years ago|reply
[+] [-] seizeheures|6 years ago|reply
You can disable that behavior in your privacy settings iirc
[+] [-] nostalgk|6 years ago|reply
Really? I just went there recently, and nearly everyone used Telegram as their primary messaging application (other than Instagram)
[+] [-] KaiserPro|6 years ago|reply
I am not a whatsapp fanboy, but I strongly doubt that these flaws were designed, and to call them "backdoors" is hyperbole.
I also am sure that the only reason we know about this backdoor is because Bezos was blackmailed.
I am in no doubt that nation states have a cache of exploits for signal, telgram, facebook messenger and whatsapp.
[+] [-] objclxt|6 years ago|reply
You can have a healthy debate about whether Telegram is a better option than WhatsApp for the average Joe (I don't think it is, but that's just my opinion). Jeff Bezos is not the average Joe.
The idea Telegram somehow offers people like Bezos more protection than WhatsApp from nation state attacks is crazy. Pavel Durov is irresponsible for suggesting otherwise.
If you're a Bezos level target and Saudi Arabia wants your messages to blackmail you, they will get them. This is a country with effectively unlimited resources and no moral qualms. The app you're using is irrelevant.
[+] [-] BoppreH|6 years ago|reply
I'm a big fan of Telegram for its top notch bot support, but I'm flagging this submission.
[+] [-] aneutron|6 years ago|reply
But I went ahead with the article and it's just marketing spiel for Telegram. Basically based around FUD.
- Telegram offers opensource clients and WhatsApp doesn't.
- Casts doubt about the actual implementation of E2E encryption in WhatsApp. And his claim of "you can't be sure" is actually pretty wrong. There have been open-source clients (of limited success) but they still prove that it is indeed at least implemented.
- I think the author is missing the fact that WhatsApp's encryption is, technically, documented in a whitepaper that highlights all of the protocol and how to different tokens and keys are generated and recycled. Because he clearly thinks Telegram is the only one to document its encryption.
Overall, I love Telegram, I use it daily. I don't mind the lack of demonstrable privacy, because I really don't need it for what I do on Telegram. It's convenient and I love the cross-platform TRUE clients, none of that webapp packaging stuff (Seriously the QT client is amazing). But this is almost all wrong ...
[+] [-] hestefisk|6 years ago|reply
[+] [-] nnx|6 years ago|reply
- This kind of vulnerability could happen in any app, including Telegram (similar issue also happened in the past with iMessage)
- WhatsApp conversations are all end-to-end encrypted by default, Telegram does not (have to explicitely create "secret chat")
- If this vulnerability used privilege escalation to access some data outside WhatsApp, iOS indeed had additional vulnerability (and Android too)
[+] [-] dancemethis|6 years ago|reply
[+] [-] tptacek|6 years ago|reply
Telegram supports end-to-end encryption only in 1:1 private chats.
End-to-end encryption is disabled by default.
Telegram does not support end-to-end encryption, at all for group chats, its most popular use case.
Instead, Telegram claims that those group chats are "encrypted" by dint of the TLS connection between Telegram clients and the Telegram servers, which can, in this model, read all group traffic.
People like to dunk on the weirdness of the limited E2E crypto Telegram does have; it's archaic and idiosyncratic and people have published research results about it, though none to my understanding are of real practical impact. I support people dunking on bad crypto. But that has nothing to do with why Telegram is an inferior secure messenger.
By comparison, Signal, which Durov has repeatedly talked down:
* has modern, ratchet-based forward secure end-to-end crypto, always, in both group and private messaging;
* won the Levchin Prize, refereed by some of best-known names in academic cryptography, for the design and implementation of that cryptosystem, as well as for its implementation at WhatsApp;
* ha repeatedly foregone basic messaging app features simply to avoid collecting user metadata; Signal didn't even have user profiles until they could figure out a way to implement it in a privacy-preserving manner, and even their GIF sharing feature has a purpose-built anonymity system; we'll only this year potentially get usernames instead of phone numbers because it took that long to design a trustworthy social graph that didn't leave Signal with a giant pile of subpoenable metadata.
Use whatever messaging app you want.
[+] [-] phh|6 years ago|reply
But then I looked at the flaws, and that definitely raises questions. At least two of the flaws are in mp4 parsing done by WhatsApp itself, while both Android and iOS provide hardened platform tools for that.
There are two reasons you would want to do that:
- Increase security. Yeah that's a bit paradoxal considering what I said before, but it is possible you could want to do that, because Android devices are barely updated, and even though the mp4 parsing is hardened, there are known not fixed flaws on many devices. If that was the intent, then the very first thing they would have done, is have this run inside a dedicated sandboxed process (Android allows that pretty easily), with no access to either the data or the internet. Or they could have written it in a managed language, where the worst case of failed parsing is crashing/DoS-ing. Or they could do it in rust of course :-)
- Increase compatibility with a wider range of mp4 files. As far as I know, mp4 support of those platforms should be good enough for most cases, but ok, let's say such a case exist, that means that they don't actually care about the security. As Durov say, they are using "end-to-end encryption" to say they are secured, but don't seem to care much past that.
I'm still not convinced those are actual purpose-built backdoors, but I will at least agree that security doesn't seem to be a core value of WhatsApp.
[+] [-] rapsey|6 years ago|reply
Yeah and well known to be a cryptographically poor.
[+] [-] fkfaduc|6 years ago|reply
[+] [-] drummer|6 years ago|reply
[+] [-] thrwaway69|6 years ago|reply
I know a lot of people who use telegram over whatsapp because it's more secure.
[+] [-] EGreg|6 years ago|reply
[+] [-] taneq|6 years ago|reply
[+] [-] AdmiralAsshat|6 years ago|reply
There's zero technical reason why I can't have a silo'd list of contacts WITHIN WhatsApp. Facebook knows it. Fuck them.
[+] [-] dTal|6 years ago|reply
I am dismayed to find that my new Android phone no longer has this feature, except as part of some bullshit "work profile" nonsense that apparently isn't possible for me to set up by myself, on my own phone. "You'll need a code from your IT admin", I'm told, and "a management tool will be downloaded and used by your IT admin to manage your work profile". Great.
[+] [-] huhtenberg|6 years ago|reply
Contact list access is literally THE thing that makes WhatsApp valuable to Facebook. You lock down that and they are now staring at a massive hosting bill with nothing in return.
[+] [-] ElectronShak|6 years ago|reply
[+] [-] icebraining|6 years ago|reply
[+] [-] earloftyrone|6 years ago|reply
[+] [-] nobodyshere|6 years ago|reply
[+] [-] hurricanetc|6 years ago|reply
[+] [-] celticninja|6 years ago|reply
[+] [-] mr-karan|6 years ago|reply
Sounds misleading no? Should rather say: no issues of that severity "reported" in the last 6 years.
[+] [-] forgotmypw|6 years ago|reply
If I was him, I would have spent a couple million rolling my own, with gateways to web, email, and SMS.
[+] [-] namanaggarwal|6 years ago|reply
E2E is not by default and terrible UX to make people think they have secure communication
[+] [-] slipheen|6 years ago|reply
But if a full-phone exploit is possible using the app, isn't that inherently an iOS/Android bug?
My understanding is that that an application should not have full access to the system. I would expect that even if it were hacked/acting maliciously all you could pull is what the app already has access to.
Did they stack an iOS exploit on top of a WhatsApp bug?
(Using WhatsApp for remote execution, then a privilege escalation of some sort?)
[+] [-] diebeforei485|6 years ago|reply
(2) There is no way to disable their calling service. I don't want people to call me on WhatsApp.
(3) If you've chosen not to give them your contact book, they have worsened the UX over time (for example, it only shows phone numbers now and not the display names they have set).
[+] [-] gravity_123|6 years ago|reply