Well the story is still going on. Found a nice video on youtube explaining the issue.
The vulnerability relies on the way WhatsApp behaves when an end user's encryption key changes.
WhatsApp, by default, trusts new encryption key broadcasted by a contact and uses it to re-encrypt undelivered messages and send them without informing the sender of the change.
Source thehackernews.com