Does WhatsApp Have A Privacy Issue That Could Expose Your Messages?

Last Friday an Amazon employee tweeted about a weird issue that she had with WhatsApp. This tweet started a conversation about a possible privacy issue with using a phone number as a way to authenticate the users. According to Abby Fuller, she found some mysterious messages on WhatsApp, which were not associated with her contacts, immediately after she created a new account on her new phone using a new number for the first time. Abby believed that the mysteriously appeared content on her new account was the message history associated with the WhatsApp account of the previous owner of the same SIM/mobile number, which WhatsApp pushed to her phone... and, unfortunately, she was almost certainly correct.

This issue happened due to Cell carriers practice of recycling cell numbers and WhatsApp practice of "45-day message deleting mechanism". This allows WhatsApp to hold the messages for 45-days before the number is activated again. This causes an issue when cell numbers change hands and the new owner is able to receive the old owner's messages. However there is more to the story. A few tech sites and users on Twitter, Reddit currently suggesting that WhatsApp "45-day message deleting mechanism" contains a bug that eventually is keeping undelivered messages stored on the company server for a longer period after the recipients stop using their accounts. But wait there is more... WhatsApp does not need a SIM card in order to be used. In other words, a user can use a SIM and phone number to establish a local encryption key and then remove the SIM and return it to be reused by another user. They can continue to use the app until the phone number is used by another user. Once the new user activates the SIM and phone number all of the messages will be sent to the new user.

It's clear from an online FAQ that Whatsapp is aware of this issue. The problem is that its users aren't aware and they've made everything so simple and automatic that it's difficult to then ask users to pay attention to something that's far from obvious:

Changing phone numbers and/or phones / Changing your WhatsApp phone number Before you stop using a particular phone number, you should migrate your WhatsApp account to the new number. For a simple way to do this, use our Change Number feature. By using this feature, you'll be able to migrate your account information (including your profile information) as well as your groups.

Make sure your contacts delete your old phone number from their phone's address book and input your new number. As it is a common practice for mobile providers to recycle numbers, you should expect that your former number will be reassigned.

https://faq.whatsapp.com/en/s40/28030001/

The take away from this story is BEFORE you stop using a particular phone number, you should migrate your WhatsApp account to the new number. For a simple way to do this, use our Change Number feature. By using this feature, you'll be able to migrate your account information (including your profile information) as well as your groups.

Sources:

Original Story

https://thehackernews.com/2019/01/whatsapp-privacy-chats.html

FAQ from WhatsApp on changing phone numbers

https://faq.whatsapp.com/en/s40/28030001/

Original Tweet that started it all

https://twitter.com/abbyfuller/status/1083560674884694017