Security researchers reveal flaw in WhatsApp encryption

Security researchers reveal flaw in WhatsApp encryption

In a revelation that could change how much people trust services that offer end-to-end encryption, they said that a critical flaw, or feature, in WhatsApp allows anyone who control's WhatsApp servers to add new people to a group without obtaining permission from the administrator of the group. "Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members", the research states.

Researchers from the Ruhr University Bochum in Germany had announced they had discovered flaws in WhatsApp's security at the Real World Crypto security conference in Switzerland, according to Wired.

Reacting to the report, Facebook Chief Security Officer Alex Stamos tweeted: "Read the Wired article about WhatsApp - scary headline! But there is no [sic] a secret way into WhatsApp groups chats".

This is a big problem, because WhatsApp prides itself on end-to-end encryption for its messages.

It is common for existing members to be alerted when new members are added to the WhatsApp group.

As noted cryptographer and Johns Hopkins University professor Matthew Green explained, the vulnerability stems from the fact that the WhatsApp server plays a significant role in group management, and that group management messages are not end-to-end encrypted or signed.

More news: Does Trump know the national anthem? Debate rages after football title game

The research says that the app does not use any authentication to check administrator's invitations to group chats. Once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group, including those that ask questions, or provide warnings about the new entrant.

It seems that anyone who controls WhatApp's servers could insert new people into private group chats without needing admin permission.

Responding to the report, WhatsApp said, "We've looked at this issue carefully". The concern raised here is that in groups with multiple administrators, the user can send out messages to multiple admins, fooling them about who invited the user. Clients of a group retrieve membership from the server, and clients encrypt all messages they send e2e to all group members. The fear for some people is that this security flaw will result in WhatsApp being coerced by government agencies into allowing the flaw to be exploited to eavesdrop on conversations. "The main exception to this is former group members, who already know the group ID - and can now add themselves back to the group with impunity".

A WhatsApp spokesperson said to the Wired that "no one can secretly add a new member to a group and a notification does go through that a new, unknown member has joined the group".

The main problem is this: end-to-end encryption, which all of these messaging apps purport to offer, should not depend on uncompromised servers.

Related Articles