WhatsApp 'bug' raises questions over group message privacy

WhatsApp 'bug' raises questions over group message privacy

German Cryptographers, in their research, have found out that WhatsApp group chats are hackable citing that any new member can read the group chats.

According to the researchers, once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group.

So the server can simply add a new member to a group with no interaction on the part of the administrator.

Paul Rösler, Christian Mainka, and Jörg Schwenk analyzed the three widely used protocols and their implementations, and found that if someone - e.g., nation-state backed hackers (illegally), or law enforcement or intelligence agencies (legally) - gains control of WhatsApp's servers, they could easily insert a new member in a private group without the permission of the group's administrator (s). Usually, only admins can add the new members to private groups.

Once a new member who is uninvited has been added to the group, the confidentiality of the group will be broken as the member can access all the new messages and read them, claims one of the researchers.

According to the report, the attack on WhatsApp group chats takes advantage of a bug.

Once the new person is added to the group, the phone of each member of the group chat automatically shares secret keys with that person, giving them full access to all future encrypted messages sent in the chat.

While messages shared before the attacker enters the group can not be read, it does give the person access to all messages which are shared from this point onward.

More news: Jay Bruce reportedly gets 3-year, $39 million deal from Mets

In May 2016, Facebook-owned-WhatsApp had introduced the end-to-end encryption for its users across the globe.

As per the research, Signal and WhatsApp fail to properly authenticate that who is adding a new member to the group and it is possible for an unauthorized person, who is not even a member of the group, to add someone to the group chat. "We built WhatsApp so group messages can not be sent to a hidden user". He argued that since all members of a group chat can see who joins a chat, they'll be notified of any eavesdroppers.

But Facebook-owned WhatsApp says the problem isn't as bad as the researchers are making out.

While, the group and the chats themselves have a layer of end-to-end encryption, the servers that the chats run on don't. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group.

"We've looked at this issue carefully", a WhatsApp spokesman said in a statement. The privacy and security of our users is incredibly important to WhatsApp.

He also said there are multiple ways to check and verify the members of a group chat.

Open Whisper Systems, the creators of Signal, told Wired that they are now redesigning how Signal handles group messaging, but did not share any more than that. This does not mean that the remaining members of the group won't know that a new one has joined.

Related Articles