WhatsApp security flaws could allow hackers to slide into group chats without being detected

Only an administrator of a group can invite new members, but WhatsApp does not have a mechanism to authenticate that invitation, a small but fatal flaw.

Back in May 2016, WhatsApp introduced end-to-end encryption for all its users across its platform. While this raised the bar for privacy in the digital messaging sphere, it has become increasingly difficult for the company to keep security standards up, especially when it comes to dealing with group chats. German researchers have now reportedly found a way to breach WhatsApp's security and sneak into group chats.

WhatsApp representational Image. Reuters.

WhatsApp representational Image. Reuters.

The researchers found that the flaws in WhatsApp make it much easier to break into group conversations, than what should be the case. Attending the Real World Crypto security conference in Zurich, Switzerland, the German cryptographers exhibited a series of flaws in encrypted messaging apps including WhatsApp, Signal and Threema. Based on a report by Wired, the flaws found in Signal and Threema were relatively harmless while that found in WhatsApp were a severe privacy concern.

According to the researchers, anyone who has access to and controls WhatsApp's servers could insert new people into an otherwise private group without much hassle.

Paul Rösler, one of the Ruhr University researchers, said, "The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them. If I hear there's end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little."

Demonstrating how group conversations on WhatsApp can be hacked, the researched stated how their attack takes advantage of a simple and small bug in the way WhatsApp's encryption works. Only an administrator of a WhatsApp group can invite new members, but WhatsApp does not have a mechanism to authenticate that invitation. Its servers can hence spoof the invitation allowing the addition of a new member to a group with no interaction on the part of the administrator. The smartphones of each participant in the group then automatically share secret keys with the new member, giving the new participant full access to future messages.

The researchers also pointed out several methods that can be used to delay the detection of a new participant, including using the server to selectively block any messages in the group. This involves caching the messages and then deciding which get sent to whom and which not.


Top Stories

also see