WhatsApp Security Flaw Could Allow Uninvited Guests in Group Chats
A team of crytopgraphers from Germany’s Ruhr University Bochum say they have uncovered flaws in WhatsApp’s security that could limit the benefits of the messaging service’s flaunted end-to-end encryption in group chats.
The team of cryptographers found a set of security weaknesses in the messaging app that together allow anyone controlling the WhatsApp server to insert other parties into a private group thread without getting permission from the administrator who controls the group. That flaw means that hackers who may break into WhatsApp servers could take advantage of that bug and infiltrate group chats. The impostor could also block messages, like questions or requests.
Researchers analyzed flaws in three encryption chat apps: WhatsApp, Signal and Threema. The experts planned to reveal their findings at the Real World Crypto security conference Wednesday in Switzerland.
Researchers told WhatsApp about the issue last summer. In a statement to Wired, WhatsApp said it had looked into the problem.
“Existing members are notified when new people are added to a WhatsApp group,” the platform said. “We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”
The researchers also detailed other flaws in Signal and Threema. In Signal’s case, the same group chat attack in WhatsApp is also found in the app. However, with Signal, an impostor would need to control the Signal server, and would need to know the Group ID and the phone number of one member, researchers said in the paper. Open Whisper Systems, the non-profit which runs and maintains Signal, is also apparently in the process of redesigning how Signal handles group messaging.
The team of security researchers, who revealed the flaw to WhatsApp last July, suggest the company could fix the issue by adding an authentication mechanism for new group invitations that uses a secret key that only the administrator possesses to sign those invitations.