In short, their implementation allows to change the encryption keys of users without their consent to arbitrary, known keys. The protocol won't re-encrypt sent messages, but there is nothing in the protocol forcing the app to show a notification that your encryption key has changed, which amounts to a man-in-the-middle attack. Any subsequent messages sent or received using that encryption key will be exposed to the attacker.
Encryption keys are managed on servers controlled by WhatsApp.
The headline is false (“WhatsApp Backdoor allows Hackers to Intercept and Read Your Encrypted Messages”), in the sense that hackers can’t actually read and intercept WhatsApp messages. Normally the reporting of a security vulnerability includes a POC of an exploit. There isn’t one here, because hackers haven’t been able to exploit it. If an activist saw this story, got scared of WhatsApp, and decided to use SMS or Telegram instead (especially if they didn’t use the opt-in secret chats feature, which most people don’t), their security got weaker.
That doesn’t really refute the claim that this can be used as a backdoor, however. Since the backdoor is only usable by Whatsapp (or whoever controls them and their servers), a random researcher can’t really release a POC.
Disclaimer: I personally know nothing about beyond the posts in this thread.
I honestly think that this story (from the title) is just a clickbait. Ofcourse you need a central server to share the keys and you need to trust that central server. How do you make sure WhatsApp hasn't changed the keys in middle - there is a scan QR functionality. I honestly don't know how these articles still remain active on websites even after proven wrong and obviously clickbaity
In short, their implementation allows to change the encryption keys of users without their consent to arbitrary, known keys. The protocol won't re-encrypt sent messages, but there is nothing in the protocol forcing the app to show a notification that your encryption key has changed, which amounts to a man-in-the-middle attack. Any subsequent messages sent or received using that encryption key will be exposed to the attacker.
Encryption keys are managed on servers controlled by WhatsApp.