WhatsApp Flaw Allows an Attacker to Insert Someone into a Private Group Chat

WhatsApp Flaw Allows an Attacker to Insert Someone into a Private Group Chat

End-to-end encrypted messaging technology is in demand, and WhatsApp implemented a solution from Open Whisper System’s a couple of years ago. But a new research paper shows there are some significant gaps in the Facebook-owned platform’s security.

At the recent Real World Crypto security conference in Zurich, Switzerland, cybersecurity analysts from Ruhr University Bochum in Germany presented a paper about security flaws in encrypted messaging apps including WhatsApp, Signal, and Threema. All three advertise secure and encrypted messaging, but the team’s findings undermined those claims to varying degrees.

The flaws the team discovered in Signal and Threema were relatively harmless, but WhatsApp’s vulnerabilities were cause for concern. According to the paper, anyone who controls WhatsApp’s servers can insert new people into an otherwise private group even without the permission of the administrator.  “[It’s] like leaving the front door of a bank unlocked and then saying no one will rob it because there’s a security camera,” Matthew Green, a researcher at Johns Hopkins University, told Wired. “It’s dumb.”

The bug has to do with how WhatsApp handles groups chats. The app doesn’t use an authentication mechanism for inviting new members to a group chat, which means that its servers can spoof said invitation. The spoofed invitation adds the new, uninvited person to the group chat and automatically shares secret keys with the member, giving him or her full access to any future messages.

It might not be the most effective way to eavesdrop on WhatsApp group conversations — you’d need access to WhatsApp’s servers, and any unexpected invitee is bound to attract suspicion. But here’s hoping for a quick patch all the same.

Source: Wired Source 2: PDF

Discuss This Story

Want more posts like this delivered to your inbox? Enter your email to be subscribed to our newsletter.