According to Tobias Boelter firstname.lastname@example.org
Download the Slides from Tobias here: Whatsapp Slides from Tobias Boelter
Setting: Three phones. Phone A is Alice’s phone. Phone B is Bob’s phone. Phone C is the attacker’s phone.
Alice starts by communication with bob and being a good human of course meets with Bob in person and they verify each other’s identities, i.e. that the key exchange was not compromised.
Remember, Alice encrypts her messages with the public key she has received from Bob. But this key is sent through the WhatsApp servers so she can not know for sure that it is actually Bob’s key. That’s why they use a secure channel (the physical channel) to verify this.
Now, Alice sends a message to Bob. And then another message. But this time this message does not get delivered. For example because Bob is offline, or the WhatsApp server just does not forward the message.
Now the attacker comes in. He registers Bob’s phone number with the WhatsApp server (by attacking the way to vulnerable GSM network, putting WhatsApp under pressure or by being WhatsApp itself).
Alice’s WhatsApp client will now automatically, without Alices‘ interaction, re-encrypt the second message with the attackers key and send it to the attacker, who receives it:
Only after the act, a warning is displayed to Alice (and also only if she explicitly chose to see warnings in here settings).
Proprietary closed-source crypto software is the wrong path. After all this – potentially mallicious code – handles all our decrypted messages. Next time the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI.
Signal is better
Signal is doing it right. Alice’s second message („Offline message“) was never sent to the attacker.
Signal is also open source and experimenting with reproducible builds. Have a look at it.
Update (May 31, 2016)
Facebook responded to my white-hat report
„[…] We were previously aware of the issue and might change it in the future, but for now it’s not something we’re actively working on changing.[…]“