Yeah, I blogged about this Apr 16: https://tobi.rocks/2016/04/whats-app-retransmission-vulnerability/. Signal is doing it right btw, giving the user the choice of retransmitting under the new public key or not. WhatsApp is "aware of the issue and might change it in the future, but for now it's not something [they]'re actively working on changing”.
> On Jun 9, 2016, at 1:42 PM, Jason A. Donenfeld <ja...@zx2c4.com> wrote: > > On Thu, Jun 9, 2016 at 10:40 PM, Nadim Kobeissi <nadim@nadim.computer> wrote: >> I've also noticed this, but in my experience, Bob's phone will also show a >> notification that Alice's "security code has changed" right before >> re-transmitting the "lol" message. Does this notification appear for you? > > It mentions that the security code has changed, but it still > retransmits the messages automatically, and clicking on the security > code thinger a nice popup shows saying "the person you're talking to > probably just got a new phone! keep calm, carry on." > >> this re-transmission should not be automatic. > > Yes, I believe this is the crux of the problem. > _______________________________________________ > Messaging mailing list > Messaging@moderncrypto.org > https://moderncrypto.org/mailman/listinfo/messaging _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
