It means the company could intercept messages sent to phones that aren't connected to the internet and forward them on to a separate device without the sender or receiver knowing. The messages could still be sent to the intended device, leaving users that don't have security notifications switched on completely unaware.
If WhatsApp was asked by a government agency to disclose its messaging records it can effectively grant access due to the change in keys," Boelter told the Guardian.
The vulnerability, which is unique to WhatsApp rather than the Signal security protocol it uses, can also be used to retrieve entire message transcripts, Boelter said. This is particularly worrying for activists, journalists and regular citizens living in oppressive countries.
Some might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message."
Boelter told Facebook about the flaw last Spring, but the company said it was "expected behaviour" and has not attempted to fix it.
Experts said the findings were"serious" and "alarming" at a time when governments are looking for ways to bypass encryption, and criticised the company for violating users' privacy.
"The potential for government abuses from this misuse of encryption with WhatsApp is alarming," said Kevin Bocek, chief cyber security strategist at Venafi. "This is a serious vulnerability."
Bocek urged companies to put systems in place that protect cryptographic keys quickly when needed. "This is critical at a time when governments worldwide are attempting to break down and intrude on the use of encryption to protect privacy, a basic right for people worldwide."
WhatsApp said it implemented the backdoor to make it easier for users, with the most common reason for security codes changing being when a user switches their device or re-installs the app.
"In many parts of the world, people frequently change devices and Sim cards," the company said. "In these situations, we want to make sure people’s messages are delivered, not lost in transit.