In-short conclusion—Whatsapp service or its 45-days deletion policy doesn’t seem to have a bug. For detailed logical explanation, please read below.
An Amazon employee earlier today tweeted details about an incident that many suggest could be a sign of a huge privacy bug in the most popular end-to-end encrypted Whatsapp messaging app that could expose some of your secret messages under certain circumstances.
According to Abby Fuller, she found some mysterious messages on WhatsApp, notably not associated with her contacts, immediately after she created a new account with the messaging app on her brand new phone using a new number for the very first time.
Fuller believes that the mysteriously appeared content on her new account was the message history associated with the WhatsApp account of the previous owner of the same SIM/mobile number, which WhatsApp pushed to her phone.
Since for WhatsApp, your phone number is your username and password is the OTP it sends to that number, it’s not a vulnerability. This is how the service works.
In a blog post, WhatsApp has explicitly mentioned that it’s a “common practice for mobile providers to recycle numbers, you should expect that your former number will be reassigned.”
In her tweets, Fuller said that the appeared chat history was “not FULL, but definitely actual threads/DM conversations,” she has yet to confirm if those messages also included any message sent by the previous SIM owner.
However, to my knowledge, setting up WhatsApp on a new device using a new phone number could not restore full message archive of the previous owner because the company never backs up your encrypted conversations on its server.
Instead, WhatsApp gives users option to upload a backup of their chats to online cloud services, and just keeps pending messages on its own server until delivered to the recipients when they come back online.
This suggests that the messages Fuller found on her newly created Whatsapp account were probably only the undelivered messages sent by the contacts of the previous owner after he/she stopped using that SIM number.
Moreover, to prevent your previous messages from landing onto others device, WhatsApp recommends users to either delete their account before stop using a SIM or mitigate the WhatsApp account with “Change number” feature available in the app settings.
images from Hacker News