• Off Topic
  • Undelivered WhatsApp messages sent to new device (design concern?)

This is odd. At least I believed WhatsApp when they said all messages and media is end-to-end encrypted using the Signal protocol, and that not even WhatsApp themselves can read them.

WhatsApp's end-to-end encryption is used when you chat with another person using WhatsApp Messenger. End-to-end encryption ensures only you and the person you're communicating with can read or listen to what is sent, and nobody in between, not even WhatsApp. This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them. All of this happens automatically: no need to turn on any special settings to secure your messages.

https://faq.whatsapp.com/820124435853543

That is on their website, but there are numerous places in the app that tell the same. I mean, it is an proprietary app so we don't really know, and have to trust their word on it, and the app is developed by Meta, a company not exactly well-known for privacy. But I was still shocked by this.

I shut down the phone the usual way. Then I entered bootloader mode and factory defaulted the device from there. After having set up the phone, many hours later, I installed WhatsApp again. It asked me for my phone number, then I input the verification SMS code I got, and poof, all messages that has been sent to me during the day are received, including some photos, and shows up just fine in the app. All I entered, all the app knows, is my well-known publicly available mobile phone number. I mean, if there is any encryption at all, it is derived from my phone number.

This is the biggest scam ever. Or maybe not, but I was still shocked.

Bottom line, messages and media in WhatsApp chats, both 1:1 chats and group chats, are not encrypted at all, contrary to what WhatsApp UI and their website says. There is zero encryption.

    okay, maybe I'm missing something here, but how would it work any other way? Those messages are in transit (undelivered) so naturally the server delivers them once your client goes online. Of course anyone with access to that phone number could receive your messages, as it would be with Signal. So, I'd like to be enlightened about the problem here.

      splattergames Of course anyone with access to that phone number could receive your messages, as it would be with Signal. So, I'd like to be enlightened about the problem here.

      I should not be able to decrypt those messages. Those should have been sent to my previous installation's decryption key. The only way I can decrypt those messages is if my new WhatsApp installation on my newly factory defaulted device is able to derive exactly the same private key for message decryption, or can obtain the private key from somewhere. But I entered nothing more than my phone number, not even anything that resembles a password even less an actual security key.

      WhatsApp staff could have done the same, knowing only my phone number. So the messages were not end-to-end encrypted, and WhatsApp staff can read them all.

      I certainly hope Signal doesn't allow receiving messages in that way. I know for certain Matrix requires your security key to decrypt past messages.

        ryrona okay, just tested and Signal doesn't deliver them like WhatsApp seems to do. I guess they really derive the private key from the phone number (which is incredibly stupid) but it was always assumed they could read all messages, so that really doesn't surprise me in the slightest.

        ryrona It asked me for my phone number, then I input the verification SMS code I got, and poof, all messages that has been sent to me during the day are received, including some photos, and shows up just fine in the app.

        Do you mean messages that were sent after WhatsApp was uninstalled, and before it was reinstalled?
        I don't see how this is problematic - when you reinstall WhatsApp, messages which were never actually delivered to you are probably just sent again from their origin, using your new public key to encrypt them (after all, your device informs WhatsApp's servers that the key changed; you can "see" this happening if someone you chat with on WhatsApp does this, a message will appear in the chat informing you the "security code" changed).
        Messages which were delivered already will not appear on the device without restoring a backup.

          mrket Do you mean messages that were sent after WhatsApp was uninstalled, and before it was reinstalled?

          Yes.

          mrket I don't see how this is problematic - when you reinstall WhatsApp, messages which were never actually delivered to you are probably just sent again from their origin, using your new public key to encrypt them (after all, your device informs WhatsApp's servers that the key changed; you can "see" this happening if someone you chat with on WhatsApp does this, a message will appear in the chat informing you the "security code" changed).

          Okay, I just assumed messages where sent to WhatsApp servers, and then from there to the receiver, since one cannot assume any kind of reliable message delivery if both sender and receiver must be online at the same time. But I guess what you say could be something they do. It should be easy to test though. Just let someone send you the message and then they go offline. If the message is now not delivered to you after having registered your new WhatsApp installation until they come online again, then that is true. But I have never experienced WhatsApp to deliver messages out of order, or to require both parties to be online. I have always assumed they store the messages on their server until they can be delivered to you.

            ryrona I have definitely seen WhatsApp messages delivered out of order a few times.
            Also, why would both sides need to be online at the same time, even in this case?
            When you switch devices (for example) and your key changes, your client sends the server a new public key, which is then propagated by the server to clients you've been in contact with, which they then use to re-encrypt any undelivered messages, and then send those to the server to be delivered to you.
            If one of those clients happens to be offline when you send the new public key, I assume it will just resend the messages once it comes online and receives it (which, as you say, can cause messages to appear out of order).

            • de0u replied to this.

              mrket When you switch devices (for example) and your key changes, your client sends the server a new public key, which is then propagated by the server to clients you've been in contact with, which they then use to re-encrypt any undelivered messages, and then send those to the server to be delivered to you.

              Ok... but...

              What stops the WhatsApp staff from generating a new public key and sending it to their servers and reading any undelivered messages?

              I am not a WhatsApp user, so I don't know how it's supposed to work, but shouldn't it be hard to re-key a user's account?

                de0u What stops the WhatsApp staff from generating a new public key and sending it to their servers and reading any undelivered messages?

                Probably nothing.
                If you steal someone's phone number, it is very likely you can steal their WhatsApp account too (most people probably aren't using a password as it's not required).
                However, once a new key is generated, the clients will send messages encrypted against that new key, which means your device can no longer receive new messages, so you'll figure it out sooner or later (if someone actually managed to access your account on their device, the WhatsApp client on your device will be automatically logged out, which will make it even more obvious).
                At the end of the day it's a proprietary service - you shouldn't send anything really sensitive through it.

                ryrona Quoting from another forum post.

                Would be good if OP would clarify whether messages that were sent to them and delivered to their previous session were also re-encrypted to their new session automatically. If it’s only undelivered messages it’s bad, but if the client goes back like a full day and resends previously delivered messages automatically to new sessions, it’s even worse as it would allow a malicious server to arbitrarily exfiltrate a day or so worth of messages from anyone they’d like. Undetected until after the fact.

                ryrona

                Very interesting observation. There probably still is encryption, but with keys available to Meta... Pretty crazy.

                • [deleted]

                ryrona

                ryrona After having set up the phone, many hours later, I installed WhatsApp again

                The "public key" is kept on the server.
                The "private key" is kept on the device.
                This raises the following questions:

                1. How did the private keys survive a factory reset and a reinstall of the Whatsapp application?
                2. Are the private keys reproducible if the app is reinstalled on the same device?
                3. How does the private key generation algorithm work?

                How Signal Instant Messaging Protocol Works (& WhatsApp etc) - Computerphile
                https://youtu.be/DXv1boalsDI

                I don't use WhatsApp, nor do I know how it works exactly, but isn't it feasible that after logging in to a new device, contacts' clients are notified and they then send undelivered messages to the new device using new keys? If I'm right, then it's less of an issue, but still not a good feature for people who use WhatsApp for sensitive communications.

                To be extra clear, I'm just suggesting a possible explanation above without any knowledge or evidence that my suggestion is correct. I'm just trying to think of another explanation for why ryrona can get old messages.

                Either way, I'm not sure this behavior is by itself evidence that WhatsApp messages aren't end to end encrypted. WhatsApp is one of the most popular messaging apps in the world. I think Meta would be caught if they weren't using E2EE.

                GrapheneOS's official recommendations are Signal/Molly and SimpleX.

                  other8026 changed the title to WhatsApp messages delivered to new device (E2EE or design concern?) .
                  • [deleted]

                  • Edited

                  other8026

                  other8026 Either way, I'm not sure this behavior is by itself evidence that WhatsApp messages aren't end to end encrypted.

                  I don't think it brings into question whether or not the messages are end-to-end encrypted.

                  ryrona all messages that has been sent to me during the day are received, including some photos, and shows up just fine in the app

                  This statement brings into question how the public and private keys are derived and whether or not they are randomly created or created using an algorithm that is repeatable.

                  End-to-end encryption is one thing. Key derivation is a totally different story.

                  • [deleted]

                  ryrona
                  Ryrona, here is a test sequence for you to try.

                  Requirement
                  (2) x separate devices, each with a different phone number for Whatsapp. These devices will be referred to herein as Device 1 and Device 2.

                  Device 1 add Device 2 phone number as a contact.
                  Device 2 add Device 1 phone number as a contact.

                  Device 1 install Whatsapp.
                  Device 2 install Whatsapp.

                  Device 1 send a Whatsapp message to Device 2.
                  Device 2 send a Whatsapp message to Device 1.

                  Device 1 put in airplane mode with WiFi off.

                  Device 2 send a Whatsapp message to Device 1 and make a written note of the time sent.
                  Wait 5 minutes.
                  Device 2 send a Whatsapp message to Device 1 and make a written note of the time sent.
                  Wait 5 minutes.
                  Device 2 send a Whatsapp message to Device 1 and make a written note of the time sent.

                  Device 2 put in airplane mode with WiFi off.

                  Device 1 leave in airplane mode and factory reset the device.

                  Device 1 setup device and install Whatsapp.

                  Device 1 if you are able to read the messages that were sent by Device 2 this would be a red flag.

                  Device 2 turn off airplane mode.

                  Are any messages delivered to Device 1 from Device 2 after turning off airplane mode on Device 2?

                  other8026 isn't it feasible that after logging in to a new device, contacts' clients are notified and they then send undelivered messages to the new device using new keys?

                  Yes, that's how it works: https://signal.org/blog/there-is-no-whatsapp-backdoor/

                  when communicating with a contact who has recently changed devices or reinstalled WhatsApp, it might be possible to send a message before the sending client discovers that the receiving client has new keys. The recipient’s device immediately responds, and asks the sender to re-encrypt the message with the recipient’s new identity key pair. [...] The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a “double check mark,” it can no longer be asked to re-send that message.

                    other8026 changed the title to Undelivered WhatsApp messages sent to new device (design concern?) .

                    I think the core issue here is that you are able to authenticate using just a phone number. If you go into WhatsApp Settings → Account, you can set a 6-digit PIN or Passkey to be used for logging in instead (just tried the Passkey and got an error though). That should be significantly more secure (in particular the passkey). Signal supports a PIN as well, but it can be a full passphrase if you like.