Either the report function doesn’t work like they say, or messages are stored decrypted, or they can decrypt messages at will based on a simple request from another user
When you report a user in an individual chat, WhatsApp receives up to five of the last messages they’ve sent to you.
This particular function is not at odds with E2EE. The client can either:
Send decrypted messages to the server. This is flawed because a malicious client can fake them, setting someone up for a ban;
Send the keys so that the server can decrypt the messages. Depending on how often keys are rotated, this might leak a couple more messages than intended.
You’re right, the messages would not be decrypted by the server but by the client making the report. Key rotation also shouldn’t be an issue because it uses a ratcheting chain key. But if the non-malicious client is already set up to send decrypted messages to the server, this seems antithetical to the idea that WhatsApp can’t read your conversations. There are clear caveats without even introducing the idea of a malicious client potentially exfiltrating decrypted messages elsewhere. Signal on the other hand receives the reported senders phone number and an encrypted message ID, presumably acting on spam reports by relying on multiple reports of the same message from the same sender, rather than by reading the message
https://faq.whatsapp.com/414631957536067/
Either the report function doesn’t work like they say, or messages are stored decrypted, or they can decrypt messages at will based on a simple request from another user
Edit: fixed
This particular function is not at odds with E2EE. The client can either:
You’re right, the messages would not be decrypted by the server but by the client making the report. Key rotation also shouldn’t be an issue because it uses a ratcheting chain key. But if the non-malicious client is already set up to send decrypted messages to the server, this seems antithetical to the idea that WhatsApp can’t read your conversations. There are clear caveats without even introducing the idea of a malicious client potentially exfiltrating decrypted messages elsewhere. Signal on the other hand receives the reported senders phone number and an encrypted message ID, presumably acting on spam reports by relying on multiple reports of the same message from the same sender, rather than by reading the message
I think I have to decrypt this url before I can open it
/edit: I did it! I was able to decrypt it!
https://faq.whatsapp.com/414631957536067/