A group of security researchers from Ruhr University in Germany has revealed a security loophole in the end-to-end encrypted messaging app WhatsApp. They point out that "WhatsApp doesn't use any authentication mechanism" when a new member is added to the group and this is something its own servers can spoof as well.
Researchers from the Ruhr University Bochum analyzed flaws in three encryption chat apps: WhatsApp, Signal and Threema. "If I hear there's end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against". The same security flaw also affects Signal and Threema messaging apps, but not to the degree that WhatsApp is affected according to researchers.
WhatsApp is likely to give group administrators more powers where they will be able to restrict all other members from sending text messages, photographs, videos, GIFs, documents or voice messages in case the admin thinks so.
However, Facebook's Chief Security Officer Alex Stamos downplayed the security risks on Twitter, noting that there "isn't a secret way" into WhatsApp group chats.
A flaw in popular encrypted chat programs WhatsApp, Threema and Signal theoretically allows nearly anyone to control important servers, bypass encryption and add themselves to group chats. This will be possible without needing the group administrator's permission, according to the researchers.
The said flaw can be exploited or misused either by WhatsApp's own employees who control the firm's servers or hackers who manage to compromise its servers and thereby view profiles of individuals and groups and add new people to targeted groups without obtaining permission from administrators. Clients of a group retrieve membership from the server, and clients encrypt all messages they send e2e to all group members.
Washington deputy shot during chase dies from gunshot wounds
Officials say numerous streets are being closed in the area as law enforcement conducts a search for the gunman. Authorities have launched a manhunt for the other suspect and blocked off several roads in the suburb.
"The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group", the paper states.
"The privacy and security of our users are incredibly important to WhatsApp. The main exception to this is former group members, who already know the group ID - and can now add themselves back to the group with impunity".
So if you see someone new entering your group, speak to the other members in private chats to confirm the new person's identity.
"WhatsApp has looked at the report carefully - following the researcher's plan would necessitate a change to the way WhatsApp provides a popular feature called group invite links - which are used millions of times per day", he said in one of the tweets. "There is no way to suppress this message", he wrote.
The goal of having an end-to-end encryption is to stop trusting the intermediate servers in such a way that even the company or the server that transmits the data can decrypt the messages or abuse the centralized position. "It could even prevent any administrator's attempt to remove the eavesdropper from the group if discovered", Rösler said.