Last week I already tweeted
WhatsApp message not delivered. Contact announces new public key. Auto retransmits messages encrypted under new key. head -> table.
That explains this simple bug in the latest WhatsApp version, which now promises beautiful end-to-end encryption, very good. But for my not so nerdy friends I want to provide some more explanation. I'm not following the usual responsible disclosure procedure here as WhatsApp users are not less secure than when they did not have end-to-end encryption at all. A white-hat report to facebook (#1008534892515816) has been submitted.
Setting: Three phones. Phone A is Alice's phone. Phone B is Bob's phone. Phone C is the attacker's phone.
Alice starts by communication with bob and being a good human of course meets with Bob in person and they verify each other's identities, i.e. that the key exchange was not compromised.
Remember, Alice encrypts her messages with the public key she has received from Bob. But this key is sent through the WhatsApp servers so she can not know for sure that it is actually Bob's key. That's why they use a secure channel (the physical channel) to verify this.
Now, Alice sends a message to Bob. And then another message. But this time this message does not get delivered. For example because Bob is offline, or the WhatsApp server just does not forward the message.
Now the attacker comes in. He registers Bob's phone number with the WhatsApp server (by attacking the way to vulnerable GSM network, putting WhatsApp under pressure or by being WhatsApp itself).
Alice's WhatsApp client will now automatically, without Alices' interaction, re-encrypt the second message with the attackers key and send it to the attacker, who receives it:
Only after the act, a warning is displayed to Alice (and also only if she explicitly chose to see warnings in here settings).
Proprietary closed-source crypto software is the wrong path. After all this - potentially mallicious code - handles all our decrypted messages. Next time the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI.
Signal is better
Signal is doing it right. Alice's second message ("Offline message") was never sent to the attacker.
Signal is also open source and experimenting with reproducible builds. Have a look at it.
Update (May 31, 2016)
Facebook responded to my white-hat report
"[...] We were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing.[...]"