WhatsApp Group Chats Can Be Easily Hacked, Even With End-to-End Encryption

Adjust Comment Print

The team of cryptographers at Ruhr University in Bochum, Germany, found a set of security weaknesses in the messaging app that together allow anyone controlling the WhatsApp server to insert other parties into a private group thread without getting permission from the administrator who controls the group. The research claims that anyone who controls the server can add any uninvited member in any private chat without the permission of the group admin.

It raises concerns that sensitive conversations, such as the WhatsApp group set up by women at Westminster to discuss alleged sexual harassment by MPs, could be infiltrated by outsiders.

Once you are added to a group, the phones of the rest of the participants automatically send their secret keys to the new member, giving him or her access to any new messages from thereon. Currently, only the administrator of the group can invite new members, but the platform doesn't use authentication for an invitation its own servers can't spoof. However, security researchers have recently found a flaw with the app that could leave those encrypted group chats vulnerable to eavesdroppers.

With over 1.2 billion monthly active users, WhatsApp is available in more than 50 different languages around the world and in 10 Indian languages.

"The privacy and security of our users is incredibly important to WhatsApp".

So far, we have been led to believe that end-to-end encryption in mobile phones and messaging apps like iMessage, WhatsApp and Telegram ensures that messages sent and received by users are so well scrambled that the services themselves can not access or read them.

Razer's 'Project Linda' turns your phone into a gorgeous laptop
For now Razer is gathering fan feedback, but we wouldnt get too attached – juts take Linda for what it is, a cool-looking concept. As with many of Razer's CES reveals over the years, this is a prototype for the time being and may not make it to the market.

Facebook's Chief Security Officer Alex Stamos in a Twitter thread said that it was impossible for anyone to infiltrate WhatsApp's private groups. The researchers say there are many risks in group chats where the hacker has control of the server, because they can then manipulate who gets what messages, delete messages and more.

Facebook-owned WhatsApp added end-to-end encryption to every conversation two years ago. Existing members are notified when new people are added to a WhatsApp group. "The main exception to this is former group members, who already know the group ID - and can now add themselves back to the group with impunity".

WhatsApp representatives told Wired there would be no fixes as a result of the research and that notifications of new chat additions are warning enough.

WhatsApp also stated that preventing the attack would put an end to its group invite link tool which allows anyone to enter a group just by tapping on a URL.

Given the alternatives, I think that's a pretty reasonable design decision, and I think this headline pretty substantially mischaracterizes the situation. "The chat app in 2016 brought the chat end-to-end encryption". Thus, servers can not detect if the admin added new members or someone unknown joined the private conversation.