WhatsApp flaws could allow uninvited guests into group chats

WhatsApp flaws could allow uninvited guests into group chats

The report was quick to ring the bell at the house of WhatsApp's daddy Facebook.

"If I hear there's end-to-end encryption for both groups and two-party communications", researcher Paul Rösler told Wired, "that means adding of new members should be protected against".

WhatsApp is adding numerous features to its platform to enhance the user experience.

Research by cryptographers from Ruhr University Bochum shows that anyone who controls WhatsApp's servers can secretly add people to group chats.

Reacting to the report, Facebook Chief Security Officer Alex Stamos tweeted: "Read the Wired article about WhatsApp - scary headline!"

Stamos said that WhatsApp has seen the researchers' findings.

"The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group".

"The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group".

Once a new member who is uninvited has been added to the group, the confidentiality of the group will be broken as the member can access all the new messages and read them, claims one of the researchers.


Moxie Marlinspike from Signal, upon whose open-source security protocol WhatsApp is built upon argued - "That If someone hacks the WhatsApp server, they can obviously alter the group membership" but if they do add themselves to a group then, "The attacker will not see any past messages to the group; those were e2e encrypted with keys the attacker doesn't have and all group members will see that the attacker has joined".

It's not a problem that will impact most users, but chat apps like Signal and WhatsApp have been used for private conversations from everyone ranging from politicians to government dissenters.

In January past year, the Guardian newspaper reported that WhatsApp was vulnerable to interception, sparking concern over the app that marketed itself as a privacy leader.

German cryptographers have found a way to infiltrate WhatsApp's group chats despite its end-to-end encryption.

The system relies on unique security keys "that are traded and verified between users to guarantee communications are secure and can not be intercepted by a middleman", the report said.

While the research indicates that it is possible for an infiltrator to add members to a group chat without members noticing by manipulating alerts, it's not guaranteed that doing so could be kept secret from the group's members.

"And in groups with multiple administrators, the hijacked server could spoof different messages to each administrator, making it appear that another one had invited the eavesdropper so that none raises an alarm".

The report, however, did not document any threat to the way end-to-end encryption protects the content of messages sent on WhatsApp. They will have to use the "Message Admin" button to post a message or share media to the group.

Related Articles