Have you ever wondered whether your WhatsApp group conversations are being monitored by the government? A security flaw in WhatsApp can give access to group conversations to outsiders without the knowledge of the group administrator. A group of researchers from Ruhr University Bochum in Germany described a series of flaws in instant messaging apps including Signal, WhatsApp and Threema, all three of which claim end-to-end encryption of their messages.
While the flaws of Signal and Threema are mostly harmless, their findings state anyone who has access to WhatsApp servers can easily insert themselves into a group conversation without the admin ever knowing.
Although, considering that the eavesdropper requires access to WhatsApp’s servers makes the flaw a little less dangerous, the implications are alarming. The vulnerability can be leveraged by sophisticated hackers who can break into the instant-messaging app’s servers. Even more, the flaw can easily allow government elements or WhatsApp staff to compromise private group conversations by legally coercing the company to give them access.
However, that doesn’t ring right with what WhatsApp claimed. The company set a benchmark for mainstream instant messaging app by enabling end-to-end encryption of all chats under the premise that even a compromised server shouldn’t divulge details. Messages sent to an individual or a group can only be read by them, not even the servers themselves.
The researchers state the flaw takes advantage of a simple bug that allows the server to add a new member to the group without interacting with the group admin. The phones of every member of the group then shares the encryption key with the new member providing the eavesdropper with complete access to any future messages.
Although, when a new member is indeed added to the group, it will be visible to every participant and even the admin. But the researchers pointed out some tricks to delay the detection. The person with control of WhatsApp’s server through which he implanted into the group can also use the server to block any message in the group, including the ones that welcome a new member to the group.
The hijacked server can even send different messages to different admins (if there are multiple admins) making it appear that another admin has invited the new member. The spy can also prevent the admin from removing him from the group if discovered.
WhatsApp confirmed the security flaw to Wired but added that its impossible to secretly add a new member to a group. However, to seal the breach of security outlined by the researchers, WhatsApp has to essentially roll back the group invite link feature that allows admins to simply send an invite link to a person who wants to join a group.
The researchers told Wired that they informed WhatsApp about the flaw back in July 2017 and in response, WhatsApp did fix part of the problem by making it difficult to decrypt future messages even after obtaining the encryption key.