this post was submitted on 14 Sep 2025
116 points (99.2% liked)

Privacy

2487 readers
670 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Ategon@programming.dev
danielintempesta@programming.dev
116
Is WhatsApp safe? Not according to its ex-security chief | Proton (proton.me)
submitted 2 days ago by Blaze@piefed.zip to c/privacy@programming.dev
35 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] FrostyPolicy@suppo.fi 35 points 2 days ago (2 children)

Nothing suggests that WhatsApp’s encryption protocol has been broken or that Meta can read the contents of your conversations.

Nothing prevents them from reading the messages prior to encryption or after decryption.

[–] FizzyOrange@programming.dev 7 points 2 days ago (1 children)

Well not nothing. Android apps are quite easy to reverse engineer so there would be a high risk of them getting caught which would be quite damaging for WhatsApp's brand.

I wouldn't say it's a lot, but it isn't nothing.

There is certainly nothing technical stopping them from doing it, but that's true of Signal too.

[–] ReversalHatchery@beehaw.org 2 points 2 days ago* (last edited 2 days ago) (1 children)

Well not nothing. Android apps are quite easy to reverse engineer so there would be a high risk of them getting caught which would be quite damaging for WhatsApp's brand.

none of their users would care. but also good luck finding a news site that cares to write about it and has some reach

There is certainly nothing technical stopping them from doing it, but that's true of Signal too.

isn't signal built reproducibly, without obfuscation?

[–] FizzyOrange@programming.dev 3 points 1 day ago (1 children)

Not currently, but in theory that is better, true.

https://github.com/signalapp/Signal-Android/issues/13565

[–] ReversalHatchery@beehaw.org 2 points 1 day ago

I was thinking about signal, and a fun fact is that if we invite all our friends and families to signal, then practically "none" of its users would care about such an incident either

[–] gila@lemmy.zip 3 points 2 days ago* (last edited 22 hours ago) (2 children)

https://faq.whatsapp.com/414631957536067/

Either the report function doesn't work like they say, or messages are stored decrypted, or they can decrypt messages at will based on a simple request from another user

Edit: fixed

[–] Kissaki@programming.dev 4 points 1 day ago* (last edited 1 day ago)

hhttps://

I think I have to decrypt this url before I can open it

/edit: I did it! I was able to decrypt it!

https://faq.whatsapp.com/414631957536067/

[–] Dumhuvud@programming.dev 2 points 1 day ago (1 children)

When you report a user in an individual chat, WhatsApp receives up to five of the last messages they’ve sent to you.

This particular function is not at odds with E2EE. The client can either:

  • Send decrypted messages to the server. This is flawed because a malicious client can fake them, setting someone up for a ban;
  • Send the keys so that the server can decrypt the messages. Depending on how often keys are rotated, this might leak a couple more messages than intended.
[–] gila@lemmy.zip 1 points 23 hours ago

You're right, the messages would not be decrypted by the server but by the client making the report. Key rotation also shouldn't be an issue because it uses a ratcheting chain key. But if the non-malicious client is already set up to send decrypted messages to the server, this seems antithetical to the idea that WhatsApp can't read your conversations. There are clear caveats without even introducing the idea of a malicious client potentially exfiltrating decrypted messages elsewhere. Signal on the other hand receives the reported senders phone number and an encrypted message ID, presumably acting on spam reports by relying on multiple reports of the same message from the same sender, rather than by reading the message