Tuesday, 23 January, 2018

WhatsApp Security Flaw Lets Someone Covertly Add Members To Group Chats

WhatsApp Image Credits Nu Data Security
Sherri Watson | 11 January, 2018, 15:27

As described in a newly published paper, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema", anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group. The flaw here is obvious: since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group. This discovery was presented at the Real World Crypto security conference in Zurich, where a team of German cryptographers shared their findings.

According to a Wired report, the flaws allow a person with the control of WhatsApp's servers to add anyone to a WhatsApp group without admin permission.

As per the report, WhatsApp has acknowledged the issue, but argued that notifications of anyone adding a new member to a group will be sent for sure.

And once that new person is added, the phone of each member of that chat group automatically shares secret keys with that person, giving them full access to all future messages, but not past ones.

WhatsApp has a serious security flaw which allows attackers and government agents to insert themselves into a group conversation.

WhatsApp is also testing a feature where it will likely give group administrators more powers where they will be able to restrict all other members from sending text messages, photographs, videos, GIFs, documents or voice messages in case the admin thinks so.

The report, however, did not document any threat to the way end-to-end encryption protects the content of messages sent on WhatsApp.

The paper is now available online.

According to Maxie Marlinspike, who developed the Signal protocol, it's not possible to suppress the alerts sent when someone joins the group, contrary to the researchers' claim.

The report was quick to ring the bell at the house of WhatsApp's daddy Facebook. The application has been designed in such a way that the group messages can not be sent to any hidden user.

This is a big problem, because WhatsApp prides itself on end-to-end encryption for its messages.

Everyone in the group would see a message that a new member had joined, seemingly at the invitation of the unwitting administrator.

"Our systematic analysis reveals that the groups' closeness - represented by the members' ability of managing the group - are not end-to-end protected", said the researchers.

While gaining access to WhatsApp servers are limited to the abilities of advanced hackers, the question is what happens when they gain access?

This means they have access to all future messages, but can not view past ones.

For additional security, users can easily verify the security code of other group members.

In January past year, the Guardian newspaper reported that WhatsApp was vulnerable to interception, sparking concern over the app that marketed itself as a privacy leader.

"WhatsApp is built so group messages can not be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent".