From end-to-end encryption to 2 step verification and everything in between, WhatsApp has been going in hard to make it’s messaging application as secure as possible. This is always until their metal is tested which is what Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley did.
He discovered a vulnerability in the end-to-end encryption implemented by WhatsApp claiming that there is a backdoor to which WhatsApp can snoop on encrypted messages.
How this works is like this. Every user has a dedicated encryption key that can be regenerated at will. This key is used to verify the recipient of the message as well as to decrypt the message so that the recipient can read/see/hear it.
Now every time you uninstall your WhatsApp or change numbers, a new encryption key is automatically generated.
So how can your messages be snooped then? Well what happens according to Boelter is that if a user is offline, WhatsApp can force generation of a new key that can allow them to view all messages that have not yet been delivered to their destination (all messages with a single grey tick)
Due to the nature of WhatsApp that is initiating an automatic resend of an undelivered message (for purposes of guaranteed message delivery), when a new encryption key is generated, a connection is detected and all pending messages are delivered.
Boelter goes on to say it is not the encryption service that is vulnerable but rather it is WhatsApp’s’ implementation of the service that is introducing the loopholes.