WhatsApp recently announced a new “Delete for Everyone” feature that lets users delete messages permanently at both, sender and receiver’s end. Less than a month since the feature rolled out for everyone, a new loophole in WhatsApp for Android has been exposed, which lets users read a message that has been deleted by the sender within 7 minutes of sending it. It has been made possible using a third-party app that keeps a track of all your incoming notifications. Such third-party apps are designed to help users retrieve accidentally cleared notifications, which is fair enough, even though I am not very comfortable with any third-party app accessing any kind of data stored on my phone. But that’s a debate for another day.
How third-party notification log managers retrieve permanently deleted WhatsApp messages?
As I mentioned before, these third-party notification log managers keep track of all the notifications that users receive on their smartphone. In order to read deleted WhatsApp messages, users need to install a third party-app called Notification History Log. The app has reached 5,000 downloads as of writing this. So one thing is for sure that there are considerable number of users who are already using this app, not necessarily to retrieve deleted WhatsApp messages.
Once the app was successfully installed on my phone, I had to manually grant permission to let the app access notifications. Once the permission was granted, it started recording all my WhatsApp notifications including ‘This message was deleted’ prompts. It was enough for me to read deleted messages in plain-text even though it did no longer exist in my WhatsApp conversations. It happened because of one simple reason: WhatsApp sends out notifications for both messages and ‘This message was deleted’ prompts. What is even more shocking is that Notification History Log is not the only app to retrieve deleted WhatsApp messages. We tried a couple of other similar apps as well only to see them working, and some of them have already crossed 50,000 downloads.
Why should WhatsApp users be bothered about this?
This comes as a bit of a shocker for two reasons: First, deleted messages should leave no footprints at all. Second, since all WhatsApp messages are end-to-end encrypted, they shouldn’t be accessed by any third-party app or even WhatsApp for that matter. So I decided to dig deeper into how the end-to-end encryption actually works. Those who are wondering, the whole idea behind implementing it is to safeguard the communication between two parties i.e., individuals or group chats, no matter what and prevent it from being accessed by anyone else, not even WhatsApp.
That brings me to my next point. The basis of WhatsApp’s end-to-end encryption is The Signal Protocol, which is designed by a software firm – Open Whisper Systems. WhatsApp has clearly mentioned in its technical whitepaper called WhatsApp Encryption Overview (originally published on April 5, 2016 and last updated on July 6, 2017) that this end-to-end encryption protocol is designed to prevent third parties and WhatsApp from having plaintext access to messages or calls. So letting third-party apps read plain-text messages in the form of notifications is enough to raise doubts over security and privacy claims made by WhatsApp.
What should a WhatsApp user do about this?
So if you want to prevent this from happening to you going forward, you can simply turn off WhatsApp notifications or start using WhatsApp Web on your desktop/laptop. But needless to say, this is not a permanent or feasible solution to consider. You should also refrain from downloading unauthorized third-party apps and letting them access your notifications or personal data. Because installing these third-party apps involves the risk of your personal data being dumped on some unauthorized servers.
The big question: Will WhatsApp keep up to its promises made about the end-to-end encryption?
It remains to be seen whether WhatsApp will do something to prevent such things from happening to their users in the future. Because this is not the first time privacy of WhatsApp users has been at stake.
Previously, we demonstrated how to download WhatsApp stories on your phone without taking screenshots, which is still possible since viewed WhatsApp statuses are stored locally under Android’s storage/WhatsApp/.Statuses hidden directory for 24 hours . However, since not all users are familiar with the procedure, they primarily depend on third-party apps by letting them access internal storage/SD card data to do the job.
We have reached out to WhatsApp for a comment on these issues, and we will update our story as soon as we have anything to share with you.