Facebook-owned WhatsApp added end—to—end encryption to every conversation two years ago and made all conversations on the group private, meaning no third-party can read them, be it government, criminals or even WhatsApp itself. But according to a team of German security researchers, WhatsApp group chats might not be so secure and can easily be infiltrated without permission of the group admin.
According to a report in Wired.com, the cryptographers from Ruhr University Bochum in Germany discovered flaws in security protocol of group of three popular instant messaging apps with WhatsApp standing out considering it has 1 billion-plus user base. The researchers looked at WhatsApp, Signal and Threema and announced their findings at the “Real World Crypto Security Conference” in Zurich, Switzerland, on Wednesday (January 10).
According to the report, while Signal and Threema’s flaws were not so serious, with WhatsApp they released that once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group.
“Anyone who controls the app’s servers could insert new people into private group chats without needing admin permission,” the report said, citing cryptographers. “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Paul Rosler, one of the Ruhr University researchers, was quoted as saying.
The WhatsApp attack on group chats takes advantage of a bug. WhatsApp incidentally relies on the Signal protocol for its end-to-end encryption.
“Only an administrator of a WhatsApp group can invite new members, but WhatsApp doesn’t use any authentication mechanism for that invitation that its own servers can’t spoof,” the report said. So the server can simply add a new member to a group with no interaction on the part of the administrator.
WhatsApp says it has looked at this issue carefully.