California: WhatsApp is one of the most widely used instant messaging services worldwide, and comes with end-to-end encryption that promises your conversations are safe. A group of researchers, however, have claimed that a security flaw can allow WhatsApp Group chats to be snooped.
According to German researchers now reportedly found a way to breach WhatsApp’s security and sneak into group chats. The researchers found that the flaws in WhatsApp make it much easier to break into group conversations, than what should be the case. Attending the Real World Crypto security conference in Zurich, Switzerland, the German cryptographers exhibited a series of flaws in encrypted messaging apps including WhatsApp, Signal and Threema. Based on a report by Wired, the flaws found in Signal and Threema were relatively harmless while that found in WhatsApp were a severe privacy concern.
According to the researchers, anyone who has access to and controls WhatsApp’s servers could insert new people into an otherwise private group without much hassle.
Paul Rösler, one of the Ruhr University researchers, said, “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them. If I hear there’s end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little.”
“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Paul Rosler added. “Only an administrator of a WhatsApp group can invite new members, but WhatsApp doesn’t use any authentication mechanism for that invitation that its own servers can’t spoof,” the paper said. So, the server can simply add a new member to a group with no interaction on the part of the administrator.
The smartphone of every participant in the group then automatically shares secret keys with that new member, giving him or her full access to any future messages, claimed the researchers.
The described weaknesses in WhatsApp enables attacker, who controls the WhatsApp server, to break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface.
“The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally, the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces,” the paper added.
Facebook’s Chief Security Officer Alex Stamos in no time responded to the WhatsApp vulnerability report and tweeted, “Read the Wired article today about WhatsApp – scary headline! But there is no [sic] a secret way into WhatsApp groups chats.”
Stamos defended WhatsApp and said, “On WhatsApp, existing members of a group are notified when new people are added. WhatsApp is built so group messages cannot be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent.”
The company further claimed that it has looked at the vulnerability report following the researcher’s plan would necessitate a change to the way WhatsApp provides a popular feature called group invite links which are used millions of times per day.
“In sum, the clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping. The content of messages sent in WhatsApp groups remain protected by end-to-end encryption,” Stamos added.