The Guardian's report is based on research by Tobias Belter. He claims that the server (potentially at the direction of a government agency) could generate a new key for one of the parties, and pretend to be them before the person on the other end is notified that something has changed. On the Signal app, this would cause an already sent message to fail, and the sender to be notified of a change before it could be attempted again. In Whatsapp, it displays a message that the key has changed, re-encrypts the message, and delivers it.

As Open Whisper Systems explains, this setup is better for Whatsapp's large user base because it's simpler for users. Also, since the server can't know who has notifications turned on, it makes trying to exploit such a change risky because of potential detection. While it agrees that people could differ in opinion on the implementation, it disagrees that this could ever be described as a "backdoor," which is what the article claims.

A number of security professionals have chimed in to agree, including Frederic Jacobs, who helped design the protocol being used. For users, the most responsible thing to do seems to be to turn on notifications, and check your security codes regularly.