The Guardian has drawn the ire of a large number of cryptography and security experts by publishing a story claiming Vulnerability-related.DiscoverVulnerability that WhatsApp has a security backdoor that would allow it , or governments , to snoop on encrypted messages . The group of experts , led by Associate Professor Zeynep Tufekci have written an open letter demanding that the article is retracted and for The Guardian to issue an apology for the misleading claims . The article , written by freelance journalist Manisha Ganguly reported claims Vulnerability-related.DiscoverVulnerability originally made by a UC Berkeley PhD student Tobias Boelter last year . He showed Vulnerability-related.DiscoverVulnerability that under certain conditions a government could , with the cooperation of WhatsApp , gain access to the content of a small number of messages . The consensus of 40 of the most respected people from the security and cryptographic community however was that the behaviour described by PhD student Tobias Boelter , and sensationalised in The Guardian article , was simply a design decision taken by WhatsApp developers and represented a very small risk , if any , to the vast majority of users . The Guardian has so far refused the demands of Professor Tufekci and her colleagues and simply updated the article changing the word “ backdoor ” for “ vulnerability ” and including a statement from WhatsApp stating categorically that “ WhatsApp does not give governments a ‘ backdoor ’ into its systems and would fight any government request to create a backdoor ” . Tufekci made the point that The Guardian ’ s article had endangered people because they would switch to less secure forms of communication over concerns that governments could be potentially listening into conversations . The suggestion that people should use the potentially more secure app Signal was not going to work for most people because it was less user-friendly and simply by using an app like Signal could actually alert government agencies that they had something to hide . The Guardian article took the claims of a PhD student and failed to get input into the issue from a single recognised security or cryptography expert . The opinions quoted in the article came from three people who , although involved with privacy at the policy and user level , were by no means subject matter experts and couldn ’ t possibly have claimed to understand what had been implemented . In fact , Moxie Marlinspike , the developer behind Signal , the protocol that gives WhatsApp its end-to-end encryption also came out emphatically supporting WhatsApp ’ s implementation of the Signal Protocol . The Guardian has since published several other articles about WhatsApp including one by Tobias Boelter attempting to justify the claims Vulnerability-related.DiscoverVulnerability of there being a “ vulnerability ” in WhatsApp . It is important to note that this story was not picked up and reported independently by other reputable mainstream media sites ; a sure indication that other journalists weren ’ t buying into the claims . Even the tech media didn ’ t report on it other than some sites simply reporting what The Guardian had claimed .

Last week WordPress released Vulnerability-related.PatchVulnerability the newest version ( 4.7.2 ) of the popular CMS , ostensibly fixing Vulnerability-related.PatchVulnerability three security issues affecting versions 4.7.1 and earlier . What the WordPress team didn ’ t share at that time is that the update also secretly fixes Vulnerability-related.PatchVulnerability a bug that allows unauthenticated users to modify the content of any post or page within a WordPress site . The vulnerability was discovered Vulnerability-related.DiscoverVulnerability by Sucuri researcher Marc-Alexandre Montpas and responsibly disclosed Vulnerability-related.DiscoverVulnerability to the WordPress security team on January 20 . A fix was soon created Vulnerability-related.PatchVulnerability , tested , and included in the security update pushed out Vulnerability-related.PatchVulnerability on January 26 . The team reached out to makers of web application firewalls ( WAFs ) like SiteLock , Cloudflare , and Incapsula to help them create rules that would block exploitation attempts . WordPress hosts have also been privately told Vulnerability-related.DiscoverVulnerability of the flaw , and they quietly moved to protect their users . “ By Wednesday afternoon , most of the hosts we worked with had protections in place . Data from all four WAFs [ this includes Sucuri ’ s ] and WordPress hosts showed Vulnerability-related.DiscoverVulnerability no indication that the vulnerability had been exploited Vulnerability-related.DiscoverVulnerability in the wild , ” the WP security team disclosed Vulnerability-related.DiscoverVulnerability on Wednesday . “ As a result , we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public ” . Within a couple of hours of the release of the update Vulnerability-related.PatchVulnerability , WordPress users who have opted for the automatic WP update option had the WP 4.7.2 installed and were protected . The unauthenticated privilege escalation vulnerability in question affects Vulnerability-related.DiscoverVulnerability the REST API , which was added and enabled by default on WordPress 4.7.0