“The fact that WhatsApp handles key changes is not a ‘backdoor,'” he wrote in a blog post. “It is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.” He went on to say that, while it’s true that Signal, by default, requires a sender to manually verify keys and WhatsApp does not, both approaches have potential security and performance drawbacks. For instance, many users don’t understand how to go about verifying a new key and may turn off encryption altogether if it prevents their messages from going through or generates error messages that aren’t easy to understand.
Security-conscious users, meanwhile, can enable security notifications and reply on a “safety number” to verify new keys.
Ultimately, there’s little evidence of a vulnerability and certainly none of a backdoor—which is usually defined as secret functionality for defeating security measures. WhatsApp users should strongly consider turning on security notifications by accessing Settings > Account > Security.