WhatApp for Android retains contact info locally after contacts get deleted. This would allow an attacker with physical access to the device to check if the WhatsApp user had interactions with specific contacts, even though they have been deleted.<\/p>\n
When a contact is deleted on WhatsApp, their information about security code changes is retained (while the chat content is not). The only way to get rid of that is to select \u201cClear Chat\u201d for the contact before deleting it. Even deleting the chat itself doesn\u2019t do it unless the \u201cClear Chat\u201d operation is done first. The \u201csecurity code change notifications\u201d option<\/a> must be enabled in order for this to work.<\/p>\n Someone getting access to the user\u2019s device can figure out whether they ever chatted with specific contacts, even if those contacts and their chats are no longer on the device. This is a privacy issue \u2013 especially for people like journalists and those living in dangerous countries.<\/p>\n Since WhatsApp uses Android\u2019s contact app for contact information but supports chats with numbers that aren\u2019t contacts, our theory is that the application retains information about security code changes even for contacts no longer on the device. There seems to be a discrepancy between how the \u201cClear chat\u201d option and \u201cDelete Chat\u201d options are implemented in the application, with the first option deleting security notification data.<\/p>\n To reproduce:<\/p>\n Delete a chat with a contact that had security code changes before.Delete the contact from the device via the Android Contacts app.Re-add contact to the device via the Android Contacts app.Start a new chat in WhatsApp with that contact but do not send any messages.Observe that security code changes are listed with dates in the chat.Select \u201cClear Chat\u201d to remove the security code changes, and repeat sterps 1-4. Observe that the security code changes no longer appear.<\/p>\n Tested on WhatsApp for Android, app version 2.21.20.20, running on Android 12.<\/p>\n We haven\u2019t retested on a more recent version but our recommendation to users is to use the \u201cClear Chat\u201d option in order to prevent this. <\/p>\n The vendor will not be fixing this issue, here is their response:<\/p>\n As part of the attack scenario you describe getting access to a person\u2019s WhatsApp account to obtain private data, as you mention yourself, people do have a way to remove these messages from their account, if a bad actor gets access to their WhatsApp account prior to that person deleting that information then they will be able to view this information. As such, we are closing this report.<\/em><\/p>\nVendor Response<\/h2>\n
References<\/h2>\n