[mschuster91]

> The scenario you describe would cause the identity key to change and trigger a notification if one of the potential clients has that option enabled.

But only for messages sent by the sender AFTER the key-change notification. Those still in the send queue get re-encrypted with the new key of the cop phone and then resent without confirmation, and this is the attack window and the bug!

Oh, and most people don't enable the key-change notification anyway so they won't even know that their dealer got arrested.

[pfg]

Sorry, I was thinking under the premise of a hypothetical version of WhatsApp where this behaviour was changed, since that's what OP was referring to. In that scenario, I don't see where the gaping hole is.

[sschueller]

How does Whatsapp re-encrypt a message if they aren't supposed to have a key to decrypt? Is this done on the senders phone? Is it possible to re-encrypt within decrypting?

[mschuster91]

No, the WA server sends the changed public key of the recipient to the client, which has the unencrypted messages. Then the client reencrypts all pending messages and resends them.