It has been reported recently that researchers have found a way to infiltrate WhatsApp group chats despite its end-to-end encryption.
At the Real World Crypto security conference Wednesday in Zurich (Switzerland), researchers from Ruhr-Universität Bochum (RUB) in Germany found that anyone who controls WhatsApp/Signal servers can covertly add new members to any private group, allowing them to spy on group conversations, even without the permission of the Whatsapp Group admin, Wired reports.
Once a new person is in, the phone of each member of that group chat automatically shares secret keys with that person, giving them full access to all future messages, but not past ones. It would appear as if the new member had the permission of the admin to join.
According to Android Central:
“The problem is that WhatsApp isn’t properly authenticating these group management requests on its own servers. A WhatsApp server needs to properly ID the sender of a message that would add a person to a group chat. The person sends a message that IDs both the group and the member it wishes to add and the server checks to make sure the person who sent it is actually a chat administrator. These messages aren’t end-to-end encrypted, and instead use standard transport encryption — the message coming from a chat administrator and going to a server that requests a user be added to a chat is not signed by the sender with their encryption key.
This means a WhatsApp server can add any user it wants to any group, at any time. The server can, not another user. That’s important, and it means any privacy expected in a WhatsApp group chat depends solely on trusting the WhatsApp chat server. That defeats the entire purpose of end-to-end encryption, which is designed so that privacy is guaranteed even if a server is compromised because only the sender and recipient can decrypt a message.
The only way this flaw can be exploited is by someone with access to the server doing it. That means a server gets compromised, or an employee goes rogue, or a three-letter government agency files a warrant. Any of those things could happen, might have happened in the past, and could even be happening right now. But one other thing needs to be considered — you’ll know if it happens to your chat.”
Facebook says, its not a problem- according to The Verge: Facebook’s Chief Security Officer Alex Stamos responded to the report on Twitter, saying, “Read the Wired article today about WhatsApp – scary headline! But there is no [sic] a secret way into WhatsApp groups chats.”
Facebook acquired WhatsApp in February 2014 for over $19 billion in stock.
Stamos objected to the report, stating that there are multiple ways to check and verify the members of a group chat. He argued that since all members of a group chat can see who joins a chat, they’ll be notified of any eavesdroppers. It’s also worth asking what a redesigned, secure WhatsApp would look like without this flaw. According to Stamos, if the app were to be redesigned, that would diminish how easy it is to use.
The Researchers have advised companies to fix the issue just by adding an authentication mechanism to make sure that the “signed” group management messages come from the group administrator only. They alerted WhatsApp to the problem with group messaging security last July. In response to their report, WhatsApp’s staff say they fixed one problem with a feature of their encryption that made it harder to crack future messages even after an attacker obtained one decryption key. But they told the researchers the group invitation bug they’d found was merely “theoretical” and didn’t even qualify for the so-called bug bounty program run by Facebook, WhatsApp’s corporate owner, in which security researchers are paid for reporting hackable flaws in the company’s software.
WhatsApp claims to offer end-to-end encryption for all messages, it means that they and no party – governments, police, hackers, other users – can intercept and read user messages. WhatsApp uses part of a security protocol developed by Open Whisper Systems, a company that has its own fully secure messaging app Signal (for iOS and Android).
Over 1 billion people around the world uses Whatsapp daily.
[PDF]– WhatsApp Group Chat Vulnerability, research paper by researchers Paul Rösler, Christian Mainka, and Jörg Schwenk from Ruhr-Universität in Bochum, Germany