The Guardian roiled security professionals everywhere on Friday when it published an article claiming a backdoor in Facebook's WhatsApp messaging service allows attackers to intercept and read encrypted messages. It's not a backdoor — at least as that term is defined by most security experts. ...No. I am an encryption practitioner, and such behavior is neither common nor necessary.
Critics of Friday's Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.
Since Facebook refuses to fix this problem, it should not be promising "end-to-end encryption". Facebook has engineered in a system for spying on messages.
Facebook/WhatsApp argue that their system is more convenient than true end-to-end encryption. That may be. It may also turn out to be useful for law enforcement to track possible terrorists or child molesters. Most users do not need to be concerned about this vulnerability. They are happy to give up some privacy in order to get some free services. But I would not recommend the system for high-security messages.
Update: Bruce Schneier concludes:
How serious this is depends on your threat model. If you are worried about the US government -- or any other government that can pressure Facebook -- snooping on your messages, then this is a small vulnerability. If not, then it's nothing to worry about.It is a little strange that Facebook/Whatsapp refuses to fix it.