WhatsApp security loophole can add uninvited members to your groups

Adjust Comment Print

However, security experts from Ruhr University Bochum in Germany said hackers or spies with access to WhatsApp servers could, in theory at least, invite members into other people's chats without them knowing, allowing them to eavesdrop the conversation.

The design flaws "allows an attacker ... controlling some of the messages sent by the WhatsApp server, to become a member of the group or add other users to the group without any interaction of the other users", according to their research paper released earlier this month.

"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them", Paul Rösler, one of the researchers told Wired.

"We additionally show that strong security properties, such as Future Secrecy which is a core part of the one-to-one communication in the Signal protocol, do not hold for its group communication". But the researchers have found that anyone having control of the server can break the authentication process that grants them the privilege that is needed to add new members to the private groups. So, a newly added eavesdropper can easily read all the new end-to-end encrypted messages exchanged between the members. "We built WhatsApp so group messages can not be sent to a hidden user".

At the moment WhatsApp servers can only be accessed by its employees and governments who follow the legal route to gain access through court orders.

Facebook-owned WhatsApp added end-to-end encryption to every conversation two years ago.

"Everyone in the group would see a message that a new member had joined", he argued.

Mobile Offers New iPhone BOGO Deal With Five Models
You'll also need to trade in an eligible device, which are the same phones that are eligible for trade-in with the BOGO deal. There's no word yet on how long these deals will last, so if you're interest in any of 'em, you may want to act soon.

Once you are added to a group, the phones of the rest of the participants automatically send their secret keys to the new member, giving him or her access to any new messages from thereon. WhatsApp has also acknowledged this server security issue but the spokesperson has pushed the idea that the attackers can cache, block or prevent the alert stating new members have been added.

"WhatsApp is built so group messages can not be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent".

Reacting to the report, Facebook Chief Security Officer Alex Stamos tweeted: "Read the Wired article about WhatsApp - scary headline!"

Security researcher Moxie Marlinspike in a forum post explained how WhatsApp group messaging works.

And while everyone in the chat would be notified that a new member has joined, it would likely be up to the administrator to notice and call out a spoofed invite (since they are the users capable of creating invite links). "There is no way to suppress this message", he wrote.

"In contrast, Telegram does no encryption at all for group messages, even though it advertises itself as an encrypted messenger, and even though Telegram users think that group chats are somehow secure".