WhatsApp bug lets anyone easily infiltrate private group chats

Adjust Comment Print

It plays an important role in securing apps against three types of attackers including, a malicious user, network attacker, and malicious server.

Despite WhatsApp's secure end-to-end encryption for messages, German researchers have found a loophole that could allow hackers to worm their way into WhatsApp's group chats.

Researchers announced they had discovered flaws in WhatsApp's security at the Real World Crypto security conference in Switzerland, Wired reports.

As described in a newly published paper, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema", anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group.

"Read the Wired article today about WhatsApp - scary headline!"

In a statement to IANS on Thursday, a WhatsApp spokesperson said: "We've looked at this issue carefully".

"The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group".

In every WhatsApp group, users see a special blue message when someone joins or leaves a group. "Existing members are notified when new people are added to a WhatsApp group".

'The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them, ' Paul Rösler, a Ruhr University researchers, told Wired.

Domino's Pizza (DPZ) Receiving Positive Media Coverage, Accern Reports
If you are viewing this story on another site, it was stolen and republished in violation of global copyright and trademark law. Domino's Pizza, Inc . (NYSE: DPZ ) stock was on the decline today following news that its CEO is leaving the company.


Moxie Marlinspike from Signal, upon whose open-source security protocol WhatsApp is built upon argued - "That If someone hacks the WhatsApp server, they can obviously alter the group membership" but if they do add themselves to a group then, "The attacker will not see any past messages to the group; those were e2e encrypted with keys the attacker doesn't have and all group members will see that the attacker has joined".

WhatsApp is likely to give group administrators more powers where they will be able to restrict all other members from sending text messages, photographs, videos, GIFs, documents or voice messages in case the admin thinks so.

In January previous year, the Guardian newspaper reported that WhatsApp was vulnerable to interception, sparking concern over the app that marketed itself as a privacy leader.

The researchers agree that the level of sophistication needed to compromise WhatsApp servers makes this exact attack scenario unlikely, but that's no excuse for security holes in an otherwise sharp system.

This will be possible without needing the group administrator's permission, according to the researchers.

WhatsApp introduced end-to-end encryption to assure users that their conversations can not be accessed, even if the company providing it so desires.

The researchers also suggest that an attacker with access to WhatsApp servers could selectively block any messages in the group - closing down the ability of group participants to ask questions, or provide warnings about the interloper.

Stamos also admitted that incorporating changes that the researchers recommend "would necessitate a change to the way WhatsApp provides a popular feature called group invite links - which are used millions of times per day".

Comments