[7a1c9427]

I think that is a very charitable assumption about the GP claim. The linked article describes a very specific implementation vulnerability around handling of offline messages that would appear to be routed in user experience being ranked higher than operational security by WhatsApp (understandably). In this case it also does notify the user once they are online, and the original phone is logged out alerting the compromised user.

The GP claim is far broader that all E2E communication can be compromised without user awareness permitting ongoing communication between two unaware parties to be monitored.

[uoaei]

> I think that is a very charitable assumption about the GP claim. The linked article describes a very specific implementation vulnerability around handling of offline messages that would appear to be routed in user experience being ranked higher than operational security by WhatsApp (understandably).

Both points (security vulnerability and user experience prioritization) can be true simultaneously. This is the root of all plausible deniability when it comes to installing vulnerabilities in technologies.

I don't see why we should care at all about WhatsApp's intentions with the change when the effects are so pernicious. Facebook et al. definitely do not deserve the benefit of our doubt anymore.

[7a1c9427]

This is true. But I would suggest your operational security has bigger issues than this potential vulnerability if you are using WhatsApp.

Regardless - you still haven't given a source for you original claim. "not deserving benefit of the doubt" does not qualify. If the linked article is in fact you source then in the future please do not exaggerate such claims as you have done. I would have expected a claim from the article to read (along with a link to the source!):

> WhatsApp have modified the protocol slightly auspiciously for user experience but this allows a third party attacker to intercept messages sent offline only alerting the sender after they have been disclosed.