Group messages could be easily spied upon, WhatsApp denies claim
Whatsapp has an end-to-end encryption to every chat conversation for its 1.3 billion users. Though it sounds safe, there is a flaw in group messaging which can be attacked by hackers. A bunch of researchers from the Ruhr University Bochum, Germany say that anyone who controls WhatsApp's servers could efficiently insert new people into a private group, even without the permission of the administrator of the respective group.
"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them," says Paul Rösler, one of the Ruhr University researchers who co-authored a paper on the group messaging vulnerabilities. "If I hear there's end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little."
The researchers say that administrator of a WhatsApp group can invite new members, but WhatsApp doesn't use any authentication mechanism for that invitation. Hence the server can simply add a new member to a group with no interaction on the part of the administrator. After that, every participant’s in the group then automatically shares secret keys with that new member, giving him or her full access to any future messages.
Once an attacker gains control of the WhatsApp server he then has access to the conversation and could also use the server to selectively block any messages in the group. "He can cache all the messages and then decide which get sent to whom and which not," says Rösler.
According to WIRED, a WhatsApp spokesperson confirmed the researchers' findings, but emphasised that no one can secretly add a new member to a group—a notification does go through that a new, unknown member has joined the group. The staffer added that if an administrator spots a fishy new addition to a group, they can always tell other users via another group, or in one-to-one messages. And the WhatsApp spokesperson also noted that preventing the Ruhr University researchers' attack would likely break a popular WhatsApp feature known as a "group invite link" that allows anyone to join a group simply by clicking on a URL.
A WhatsApp spokesperson has clarified through an email that, “Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users are incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”
The researchers write that the company could fix this group chat flaw by adding an authentication mechanism for new group invitations. Using a secret key that the administrator only possesses to sign those invitations could let the admin prove his or her identity and prevent the spoofed invites, locking out uninvited guests. WhatsApp is yet to take their advice.