An Amazon employee earlier today tweeted details about an incident that many suggest could be a sign of a huge privacy bug in the most popular end-to-end encrypted Whatsapp messaging app that could expose some of your secret messages under certain circumstances.
According to Abby Fuller, she found some mysterious messages on WhatsApp, notably not associated with her contacts, immediately after she created a new account with the messaging app on her brand new phone using a new number for the very first time.
Fuller believes that the mysteriously appeared content on her new account was the message history associated with the WhatsApp account of the previous owner of the same SIM/mobile number, which WhatsApp pushed to her phone.
Since for WhatsApp, your phone number is your username and password is the OTP it sends to that number, it's not a vulnerability. This is how the service works.
In a blog post, WhatsApp has explicitly mentioned that it's a "common practice for mobile providers to recycle numbers, you should expect that your former number will be reassigned."
In her tweets, Fuller said that the appeared chat history was "not FULL, but definitely actual threads/DM conversations," she has yet to confirm if those messages also included any message sent by the previous SIM owner.
However, to my knowledge, setting up WhatsApp on a new device using a new phone number could not restore full message archive of the previous owner because the company never backs up your encrypted conversations on its server.
Instead, WhatsApp gives users option to upload a backup of their chats to online cloud services, and just keeps pending messages on its own server until delivered to the recipients when they come back online.
This suggests that the messages Fuller found on her newly created Whatsapp account were probably only the undelivered messages sent by the contacts of the previous owner after he/she stopped using that SIM number.
Moreover, to prevent your previous messages from landing onto others device, WhatsApp recommends users to either delete their account before stop using a SIM or mitigate the WhatsApp account with "Change number" feature available in the app settings.
Besides this, in case you forget to delete your old account, WhatsApp automatically deletes undelivered messages from its servers 45 days after you stay offline, preventing the new owner of your old number from receiving those messages.
However, Fuller claimed that she owns her new phone number from many months, i.e., more than 45 days, and may be due to some bug due to which WhatsApp failed to delete those messages from its server that were associated with the previous SIM owner.
Here's What Could Have Happened
A few tech sites and users on Twitter, Reddit currently suggesting that WhatsApp "45-day message deleting mechanism" contains a bug that eventually is keeping undelivered messages stored on the company server for a longer period after the recipients stop using their accounts.
However, they all missed an important fact here — You don't need your SIM to keep using your WhatsApp account, once configured on the phone.
That means, it is likely possible that the old owner of that SIM was still using his WhatsApp account after dumping the SIM number until Fuller recently configured the same number and verified the account using the OPT received on her phone.
So, with high confidence, we can say that the messages appeared on the Fuller phone were only some recently undelivered messages that the old user was supposed to receive when online this morning.
What About the WhatsApp Encryption Keys?
Lastly, if you are thinking how a new user with a new WhatsApp private key on her phone was able to receive/read messages that were actually end-to-end encrypted using the private keys of the previous owner, you should read our previous article here.
This story also highlights the privacy threat a Guardian reporter raised two years ago in the way WhatsApp implemented the protocol, wherein the company, by default, trusts new encryption keys broadcasted by a contact and uses it to automatically re-encrypt undelivered messages and send them to the recipient without informing or leaving an opportunity for the sender to verify the recipient.
We have contacted the WhatsApp team and waiting for their comment. We'll update the story as soon as we hear back from them.