Researchers claim to find a way to infiltrate WhatsApp Group chats

Researchers claim to find a way to infiltrate WhatsApp Group chats

Apparently, WhatsApp has a flaw that allows anyone who has access to company's servers to add new people to private group chats without chat administrator's permission.

German cryptographers have found a way to infiltrate WhatsApp's group chats despite its end-to-end encryption.

However, a group of security researchers from the Ruhr University Bochum in Germany have revealed why that is not the case anymore.

While, the group and the chats themselves have a layer of end-to-end encryption, the servers that the chats run on don't.

WhatsApp has confirmed the researchers' findings but points out that it is not possible to add a new member to a group without members of that group being notified.

BAFTA Awards: Nominees, Industry React
BAFTA also nominated First They Killed My Father for Film Not In The English Language . British Academy Film and Television Awards released their list of nominees today.

While WhatsApp boasts great end-to-end encryption of messages which is great for those who crave privacy - but a source of chagrin for many in the law enforcement community - it seems the messaging service is susceptible to attacks on user privacy.

Once a person is added, everyone in the chat automatically shares secret keys with that user. WhatsApp has noted that if it were to immediately fix the flaw it could cause problems with allowing legitimate new members to join the group though the use of a shared URL.

"If someone hacks the WhatsApp server, they can obviously alter the group membership".

Group chat app Signal was found to have the same problem as WhatsApp, but as well as controlling the server the attacker also needs to know the chat's Group ID - which is nearly impossible to know without having physical access to one of the phones in the message thread. Only the administrator of a WhatsApp group can invite new members, but WhatsApp doesn't use any authentication mechanism for that invitation that its own servers can't spoof.

"WhatsApp has looked at the report carefully - following the researcher's plan would necessitate a change to the way WhatsApp provides a popular feature called group invite links - which are used millions of times per day", he said in one of the tweets. But attackers that can control of a Threema server can replay messages or add a previously removed user back into a group, the researchers found. Clients of a group retrieve membership from the server, and clients encrypt all messages they send e2e to all group members. An attacker who compromises the Telegram server can, undetected, recover every message that was sent in the past and receive all messages transmitted in the future without anyone receiving any notification at all. The membership of a group can be seen by tapping on "group info". "There is no way to suppress this message". "For example, it would be interesting to analyze the group chat implementations of other Signal-based messaging protocols, such as Google's Allo, Wire, and Facebook Messenger, or even non Signal-based protocols similarly to our investigation of Threema". "It could even prevent any administrator's attempt to remove the eavesdropper from the group if discovered", Rösler said.

Related Articles