Some messages sent through WhatsApp can be intercepted and read thanks to a bug in the app, suggests research.
The bug arises because of the way WhatsApp encrypts the messages sent via its service.
Security expert Thomas Boelter found that eavesdropping was possible when circumstances called for encryption keys to be reissued.
Mr Boelter told WhatsApp owner Facebook about the issue in April 2016 but it said it was not working on a fix.
The response he received said that what he had discovered was expected behaviour.
Privacy campaigners claimed in The Guardian newspaper that the bug was a “huge threat” to freedom of speech because it could be used by governments or law enforcement agencies to spy on people who thought they were communicating securely.
The bug crops up in situations when encryption keys used to scramble messages have to be reissued and resent.
Mr Boelter found that, in certain circumstances, attackers can pose as the recipient of a message and force WhatsApp to reissue keys for scrambling information.
Manipulating this system would let attackers intercept and read messages, said Mr Boelter.
Zack Whittaker, security editor at ZDNet, said it was a “stupid and big bug” but played down its seriousness.
The problem was “limited” in its scope, he said, adding that it probably emerged because of “bad coding or a favour to good user experience”.
Cryptographer Frederic Jacobs said anyone worried about falling victim to the bug could adjust security settings on the app to warn them if encryption keys were being changed.
In a statement, WhatsApp explained some of the circumstances in which security keys might change.
“The most common reasons this happens are because someone has switched phones or reinstalled WhatsApp,” it said.
“This is because in many parts of the world, people frequently change devices and Sim cards,” it added. “In these situations, we want to make sure people’s messages are delivered, not lost in transit.”
“Over one billion people use WhatsApp today because it is simple, fast, reliable, and secure,” it said, adding. “As we introduce features like end-to-end encryption, we focus on keeping the product simple and take into consideration how it’s used every day around the world.”