WhatsApp group chats might not be so secure and can easily be infiltrated without permission of the group admin, according to a team of German security researchers. The group discovered flaws in security protocol of group of three popular instant messaging apps with WhatsApp standing out considering it has 1 billion plus user base. The researchers looked at WhatsApp, Signal and Threema and showed their findings at the “Real World Crypto security conference” in Zurich, Switzerland, according to a report on Wired.
According to the report, while Signal and Threema’s flaws were not so serious, with WhatsApp they released that anyone with control of the app’s servers could insert new people into private groups. This will be possible without needing the group administrator’s permission, according to the researchers. WhatsApp has introduced end-to-end encryption across the app and made all conversations on the group private, meaning no third-party can read them, be it government, criminals or even WhatsApp itself. WhatsApp incidentally relies on the Signal protocol for its end-to-end encryption.
According to the report on Wired, researchers pointed out a bug in WhatsApp’s system of authentication. They point out that “WhatsApp doesn’t use any authentication mechanism” when a new member is added to the group and this is something its own servers can spoof as well. Someone with control of WhatsApp’s servers can add a new person to a group without administrator even knowing, is what the researchers claim.
While messages shared before the attacker enters the group cannot be read, it does give the person access to all messages which are shared from this point onward. The researchers say there are many risks in group chats where the hacker has control of the server, because they can then manipulate who gets what messages, delete messages and more.
The paper is now available online. The security researchers have argued that security protocols on group chats will need to be enhanced in light of the vulnerabilities pointed out by them. According to the paper, investigation into “end-to-end protected group communications” has gained only little attention. They also point out that while they focused on three applications, their “methodology and the
underlying model is of generic purpose and can be applied to other secure group instant messaging protocols as well.”
WhatsApp confirmed these finding to Wired, though it said every time a new unknown member is added, the app has a notification alert go out. In a statement to Wired, the company said, “We’ve looked at this issue carefully…Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user.”