It was way back in May 2016, that WhatsApp has introduced its end-to-end encryption feature for all its users across its platform. Undoubtedly, this has definitely raised the standards for privacy in this digital messaging zone, but in the same way, has made it extremely difficult for the company to keep up the security standards. This is especially while dealing with the group chats.
In lieu of this, German researchers have apparently searched for a way to breach WhatsApp’s security and intervene into group chats. These researchers have detected certain flaws which makes it much easier to break into group conversations. While attending the Real World Crypto security conference in Zurich, Switzerland, the German cryptographers showcased a series of flaws in encrypted messaging apps including WhatsApp, Signal, and Threema. Based on the report by Wired, the flaws found in Signal and Threema were relatively harmless while that found in WhatsApp were a severe privacy concern.
The researchers also added that anyone having a clear access and in a position to control the WhatsApp’s servers, would be enabled to insert new people into an otherwise private group without much hassle.
To quote Paul Rösler, one of the Ruhr University researchers, “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them. If I hear there’s end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little”.
Further demonstrating how group conversations on WhatsApp can be hacked, the researched also stated how their attack takes advantage of a simple and small bug in the way WhatsApp’s encryption works. Only an administrator of a WhatsApp group can invite new members, but WhatsApp still does not have a mechanism to authenticate that invitation. Its servers can thereby spoof the invitations, allowing the addition of a new member to a group with no interaction on the part of the administrator. The smartphones of each participant in the group then automatically share secret keys with the new member, giving the new participant full access to future messages.
With this, the researchers have also pointed out several methods that can be used to delay the detection of a new participant, including using the server to selectively block any messages in the group. This leads to the caching the messages and then deciding which one is sent to whom and which one is not.
Until things are getting sorted out, WhatsApp’s most sensitive users should consider sticking with only one-to-one conversations, or be switching to a more secure group messaging app like Signal. Otherwise, users should be wise enough to keep a vigilant eye out for any new entrants sliding into their private conversations.