WhatsApp flaw lets hackers spy on group chats

WhatsApp

Creepy hackers could secretly eavesdrop on your private WhatsApp group chats, experts claim

New people added to a particular WhatsApp group without the administrator's permission will be able to read new messages posted by members of the group, thereby compromising the confidentiality and privacy that members belonging to a private WhatsApp group enjoy.

The issues are encryption flaws and were detailed at the Real Word Crypto security conference in Zurich, Switzerland by researchers from Ruhr University Bochum in Germany. "But there is no [sic] a secret way into WhatsApp groups chats".

'The content of messages sent in WhatsApp groups remain protected by end-to-end encryption'.

The problem sits in WhatsApp's authentication mechanism for adding people to group chats.

In the paper "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema", released last week, researchers reveal flaws that counter the platforms' claims that their group chats are secure. Once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group, including those that ask questions, or provide warnings about the new entrant.

More news: Gerrit Cole trade to the Houston Astros is 'imminent'

Anyone wanting to slide into other people's DMs would need access to WhatsApp's servers, which means it would have to be an extremely skilled hacker, an employee or a member of the intelligence services.

In response to the study, which was first reported by Wired, Facebook's Chief Security Officer Alex Stamos wrote on Twitter: 'Read the Wired article today about WhatsApp - scary headline!

A WhatsApp spokesperson confirmed the findings to Wired, however adding that "no one can secretly add a new member to a group and a notification does go through that a new, unknown member has joined the group".

WhatsApp is adding numerous features to its platform to enhance the user experience. "The main exception to this is former group members, who already know the group ID - and can now add themselves back to the group with impunity". But many attacks on encrypted systems don't break the encryption - they bypass it as the processes around the encrypted data are usually far weaker than even bad encryption. "Existing members are notified when new people are added to a WhatsApp group. WhatsApp is built so group messages can not be sent to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent", Stamos said. "For example, it would be interesting to analyze the group chat implementations of other Signal-based messaging protocols, such as Google's Allo, Wire, and Facebook Messenger, or even non Signal-based protocols similarly to our investigation of Threema". The attackers might send spoofed messages in order to prevent the administrator from removing spy from the private conversation.

Latest News