A critical vulnerability in WhatsApp has been discovered that lets anyone join the chat and spy on conversations without admin’s permission.
With the increasing emphasis on digital privacy, companies are trying their level best to make their services secure and reliable for users. Two years back mobile messaging app WhatsApp was equipped with end-to-end encryption in order to provide its users comprehensive security from government spying, hackers’ scams and WhatsApp itself. However, making group chats protected with end-to-end encryption is not as easy as regular conversations are. Latest research from a group of cryptographers from Germany’s Ruhr University Bochum proves just that.
According to the team of researchers, group chat encryption in WhatsApp and other messaging apps including Signal and Threema is flawed that makes infiltrating the chats much easier for cybercriminals without seeking permission from group admin. The findings of their research were revealed at the Real World Crypto security conference (RWC) held in Zurich, Switzerland on Wednesday. Researchers revealed that they identified a series of flaws in encryption process for group chats in the abovementioned apps and the flaws greatly undermine the security claims of each of these app’s multi-person group communications to various degrees.
The flaws were identified in the security protocols of all the apps but WhatsApp’s case is particularly shocking given that there are over a billion users associated with the app. Moreover, the nature of flaws in Threema and Signal are not as serious as of WhatsApp’s since anyone can gain control of WhatsApp’s servers to compromise private groups and perform a variety of exploits such as inserting new people into the group. Since group administrator’s permission is not required, therefore, there is every possibility that criminals would want to make use of the flaws. Paul Rösler, the co-author of the paper [PDF] and member of the research team, wrote that:
“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them. If I hear there’s end-to-end encryption for both groups and two-party communications that means adding of new members should be protected against. And if not, the value of encryption is very little.”
Incidentally, WhatsApp utilizes Signal protocol for enabling end-to-end encryption and the flaw is present in the authentication system of the app. Researchers noted in their paper that WhatsApp does not use any authentication method when group admin adds a new member to the group. This makes its servers vulnerable to spoofing since if a person gets control of the app’s servers then anyone can be added to the group.
Although the new member will not be able to read previous conversations between group members but after getting added, he/she will be able to access all the messages. There are salient other risks involved such as an attacker can manipulate and delete the messages. As Rösler pointed out: “He can cache all the message and then decide which get sent to whom and which not.”
The flaws have been confirmed by WhatsApp as well and the company stated that every time a new, unknown member is added to the group, a notification alert is sent by the app to group admin. While speaking with Wired, WhatsApp’s spokesperson stated:
“We’ve looked at this issue carefully…Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user.”
To prevent group chats from being invaded by uninvited individuals, it is important that the security protocols for group chars are tweaked and the flaws pointed out by researchers are fixed. Researchers noted that in this research they only focused upon three applications, their model can be applied to other apps too to protect group instant messaging protocols on a broader spectrum.