An alleged backdoor in WhatsApp's end-to-end encryption protocol is said to have the power to allow Facebook or government agencies to listen in on unsuspecting users. WhatsApp has claimed that no one, not even Facebook staff, can access the messages of WhatsApp's more than one billion users.
The alleged backdoor was discovered by University of California, Berkeley security researcher Tobias Boelter. He described it in detail to The Guardian, explaining it allows WhatsApp to intercept messages by forcing a new security key to be generated. For messages that have not been marked as delivered, WhatsApp can have messages be re-encrypted and re-sent using a new key that they know and provide. If the recipient is offline, they are not made aware of this change in encryption and the sender is only notified if they opt-in to encryption warnings.
WhatsApp uses the Signal Protocol just like Open Whisper Systems' Signal Private Messenger. However, this underlying weakness not inherent to the Signal protocol. If the key is changed in Signal, the messages will just fail to be delivered. WhatsApp instead automatically tries to resend the message with a new key without warning. Boelter said he reported this issue to Facebook back in April of 2016 but was told it was "expected behavior" and wasn't being worked on.
The vulnerability has been called a "gold mine for security agencies", a "huge betrayal of trust", and a "threat to freedom of speech" by other security experts. Others are framing it as a decision between user experience and security -- where WhatsApp chose the former due to its massive user base.
For those that are looking for secure communication above all, the best alternative is to use a dedicated app like Signal, as recommended by NSA whistle blower Edward Snowden.