Update: A WhatsApp spokesperson responded to BGR India saying, “We’ve looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”
WhatsApp drives most of our communications today. Given its reach, even a single backdoor potentially brings millions at risk of having their private conversations eavesdropped. Now researchers have found a vulnerability in encrypted group chats on WhatsApp and Signal messaging apps that could allow an outsider to access and even manipulate personal conversations.
Researchers at the Ruhr-Universität Bochum (RUB) in Germany found that anyone who controls WhatsApp or Signal servers can covertly add new members to any private group, allowing them to snoop on group conversations, all without the permission of the group administrator.
WhatsApp introduced end-to-end encryption to assure users that their conversations cannot be accessed, even if the company providing it so desires. However, the research states that messaging services like WhatsApp, Threema, and Signal have not been able to achieve a zero-knowledge system.
The purpose of having an end-to-end encryption is to stop trusting the intermediate servers in such a way that even the company or the server that transmits the data can decrypt the messages or abuse the centralized position. It plays an important role in securing apps against three types of attackers including, a malicious user, network attacker, and malicious server.
The researchers explain, in a pairwise communication, where only two users communicate with each other, the server plays a limited role. However, in a group conversation, the role of servers increases to merge the entire process and it is here where the vulnerability lies – trusting the company’s servers to manage group members, who have full access to a group conversation, and their actions, The Hacker News reports.
As per the research, Signal and WhatsApp fail to properly authenticate that who is adding a new member to the group and it is possible for an unauthorized person, who is not even a member of the group, to add someone to the group chat. Interestingly, the compromised admin or a malicious employee with access to the server could manipulate alerts to not other group members any notification of a new person joining them.
The attacker can break the transport layer security and take full control over a group. However, doing so leaves traces as this operation is listed in the graphical user interface and the WhatsApp server can thus use the fact that it can stealthily reorder and drop messages in the group. This basically means a hacker could potentially cache sent messages to read them first and then rearrange the order in which they are sent to group members, leading to quite a catastrophe.
As per the report, WhatsApp has acknowledged the issue, but argued that notifications of anyone adding a new member to a group will be sent for sure.
Researchers advise messaging services to address the issue by simply adding an authentication mechanism to ensure that the “signed” group management messages come only from the group administrator. As the attack is not easy to execute, casual users need not worry about the same.
Meanwhile, WhatsApp recently added a new feature to its app that allows users to quickly make a switch from a voice call to a video call. The feature is currently available for beta users on the Android platform.