[FabHK]

> The scenario you describe would cause the identity key to change and trigger a notification if one of the potential clients has that option enabled.

... and that notification would be shown after that potential client's WhatsApp client had re-encrypted the undelivered messages and re-sent them.

[antihero]

So they could effectively leave the phone off for a while, then pop in the SIM and suck up any messages that had been sent in the mean time, and only then would the warning come up?

[mschuster91]

yup

[antihero]

That's pretty savage. This really is a massive issue.

[pfg]

Yes, but this thread starts with "Even if they changed this specific design decision/vulnerability, it seems like there's a big gaping hole (or I'm missing something)."

I don't see how WhatsApp would be vulnerable in this scenario assuming they change this behaviour, but OP claims there's still a big gaping hole.