Are you sure those WhatsApp messages are meant for you?
Senior Amazon technical expert Abby Fuller had a bit of a shock when she logged into WhatsApp using a new telephone number earlier this month. She found someone else’s messages waiting for her.
WhatsApp, which Facebook purchased for $19bn in 2014, advertises itself as a secure, reliable messaging app.
The service prides itself on not retaining messages on its servers once they have been delivered. Fuller was using a new telephone number on a new mobile device. Her SIM card was new, and she hadn’t restored any backed-up messages from anywhere. So what gives? How did messages meant for someone else get onto her phone?
WhatsApp ties user accounts to their phone numbers. The problem is that people don’t always keep their phone numbers forever. When someone stops using a number, by ending their smartphone contract for example, it goes back into a pool of numbers and under FCC rules it can be reassigned to someone else after 90 days.
WhatsApp is aware of this, and warns:
Before you stop using a particular phone number, you should migrate your WhatsApp account to the new number.
It even has a Change Number feature to help people switch their accounts from one number to another.
Perhaps the number’s previous owner didn’t do that, but even if they didn’t, the company has a failsafe. It monitors account inactivity and watches for accounts that are unused for 30 days. If someone then activates an account with that number on a different mobile device, WhatsApp removes all the old account data tied to that phone number, including the profile photo and the About section, it says.
Yet Fuller has had her number for longer than that:
This number has been mine > 45 days (multiple month). Seems like the messages should have been wiped with the accou… twitter.com/i/web/status/1…
Abby Fuller (@abbyfuller) January 11, 2019
One potential explanation is that WhatsApp relies not only on the original owner of the number changing their account but on all of their friends upgrading their account too. It warns:
Whenever a friend gives up a phone number, you should make sure to delete the number from your phone’s address book. As it is common practice for mobile providers to recycle numbers, you may incorrectly identify an account in WhatsApp as your friend’s account, when in fact the account belongs to the new phone number’s owner.
WhatsApp exclusively uses phone numbers to identify accounts and we display the names you have saved in your address book for those contacts.
At least one Twitter user suggested that this might be the root cause:
Filippo Valsorda (@FiloSottile) January 11, 2019