WhatsApp Retains Messaging History of Phone Numbers Between Owner Changes

• Phone number reallocation incident clearly showcases a privacy hole that can strike many WhatsApp users.
• The way the app works sets up a platform for a set of errors to be made by unsuspected users.
• Users are advised to always use the “Change Number” feature when changing phone numbers.

When a WhatsApp account is created, the messaging application is using the SIM number to associate it with the given username and password, and that’s all there is to it. Changing a mobile number means that the same user will have to associate the previous login credentials to the new SIM, but what happens when the same number is changing owners? According to a tweet by an Amazon employee who discovered just that, what happens is that you get the messaging history of the previous owner right on your WhatsApp, free of encryption, and with all the accompanying details in the chat strings.

logged into whatsapp with a new phone number today and the message history from the previous number's owner was right there?! this doesn't seem right.

— Abby Fuller (@abbyfuller) January 11, 2019

Sounds like a crazy privacy bug or a case of negligence from the previous owner’s side, and the truth is, it’s a little bit of both. First of all, mobile carriers and phone number providers/distributors follow the practice of reassigning abandoned phone numbers of previous owners to new ones. WhatsApp developers know this, so they have established a 45-days period of messaging history retention after which all messages are being deleted from their servers. This privacy protection measure, however, seems to be failing hard due to a bug that keeps undelivered messages stored on the server for a more extended period.

The next problem lies in the encryption method followed by WhatsApp, and more specifically how the encryption keys are managed. WhatsApp avoids taking an extra verification step when a new encryption key is generated by an undelivered message. This practice opens up a backdoor for man-in-the-middle attacks, while it also helps in resulting in the “number change-history retention” situation. A new user who configured a new Whatsapp account on the same phone number got the same set of private and public keys that the previous user had, so the chat history is readable.

Finally, it all boils down to what users can do to protect their privacy. If the previous owner of the number keeps on using the same WhatsApp account that was configured for that number even after its abandonment, those messages can be kept on the servers until the new owner activates a WhatsApp account with it. What the old number owner should have done is to use the “Change Number” feature, migrating the account to a new phone number. Once the change takes place, the old account and all data related to it is automatically deleted from WhatsApp’s servers.

What is your take on how WhatsApp handles accounts and encryption keys? Do you think they could do better? Let us know in the comments below, and share your thoughts on our socials as well, on Facebook and Twitter.