| For anyone wondering what the actual purported security weaknesses are in this article (I used the slop machine to reduce the slop): - Cloud backups — by default, backups to iCloud/Google Drive contain plaintext messages, and E2EE backup is opt-in. Even if you enable it, a weak password collapses the effective security, and any other person in the chat with an unencrypted backup exposes the conversation. - Metadata — who you talk to, when, how often, IP, contact graph, etc. This is the "reading your life without reading your messages" argument, and it's the part that's genuinely well-established. - Pen register / FBI — the claim that WhatsApp uniquely delivers near-real-time metadata (~every 15 min) to law enforcement. - Group chat membership integrity — a server-level adversary can inject a member into a group; messages stay encrypted but get delivered to the injected party.
Endpoint compromise (Pegasus / CVE-2019-3568) — encryption is irrelevant if the device is owned. - Closed source, Meta AI, business accounts — content can leave the E2EE envelope in those flows. Nothing really new here, and as everyone else is pointing out Telegram might be worse. |