A team of German cryptographers from the Ruhr University Bochum has discovered flaws in WhatsApp’s Group chats despite its end-to-end encryption, which makes it possible to infiltrate private group chats without admin permission. WhatsApp has a user base of over million users, which makes it the most popular messaging service.
As reported by Wired, the risk associated with the flaw is limited on account of attackers needing to have access to WhatsApp servers to be able to insert themselves into a group conversation. Once a new person is in, the phone of each member of that group chat automatically shares secret keys with that person, giving them full access to all future messages but not past ones. It would appear as if the new member had the permission of the admin to join.
The researchers recommend in their paper that summarizes their findings that users who rely on absolute privacy should stick to Signal or individual private messaging. The researchers explained how the bug on WhatsApp works, “Only the administrator of a WhatsApp group can invite new members, but WhatsApp doesn’t use any authentication mechanism for that invitation that its own servers can’t spoof. This allows the server controller to add a new group person without the group admin’s knowledge.”
A WhatsApp spokesperson confirmed the researcher’s findings on twitter, but emphasized that no one can secretly add a new member to a group—a notification does go through that a new, unknown member has joined the group. The staffer added that if an administrator spots a fishy new addition to a group, they can always tell other users via another group, or in one-to-one messages. And the WhatsApp spokesperson also noted that preventing the Ruhr University researchers’ attack would likely break a popular WhatsApp feature known as a “group invite link” that allows anyone to join a group simply by clicking on a URL.
As for WhatsApp, the researchers write that the company could fix its more egregious group chat flaw by adding an authentication mechanism for new group invitations. Using a secret key only the administrator possesses to sign those invitations could let the admin prove his or her identity and prevent the spoofed invites, locking out uninvited guests. WhatsApp has yet to take their advice.