Back in 2016, WhatsApp, the popular instant messaging app, introduced end-to-end encryption. This essentially meant that messages you send to a contact would be encrypted and then decrypted by the recipient’s phone. So theoretically, intercepting and reading a message would not be possible by a third party. Well, a group of German researchers seem to think different.
At a conference called the Real World Cryto security conference, a group of researchers from the Ruhr University Bochum in Germany spoke about flaws they have discovered in messaging apps such as WhatsApp, Signal and Threema, all of which use encryption methods to secure their messages. According to them, in comparison to Signal and Threema, WhatsApp has a higher security risk.
How does the exploit work?
According to the researchers, the WhatsApp attack takes advantage of a basic flaw. Essentially, anyone who controls WhatsApp’s servers could easily add new unidentified people into WhatsApp groups without the permission of the group administrator despite the administrator having full access to adding and removing members.
As you know, only the administrator of a WhatsApp group can add/remove members. The problem is that WhatsApp doesn’t use any sort of authentication for the invitation. Accordingly, the server can just add a new member to an existing group without any interaction from the administrator.
Once the unidentified person has been injected into the group, the other members would receive a message informing them that a new member has been added, seemingly at the behest of the group admin. If the admin is keeping an eye on things, then he/she would know that a foreign party has entered the group and warn members about it.
Once the eavesdropper is in the group, he/she would have access to all future messages sent on the group as WhatsApp would generate secret keys for each member in the group and share it with the newcomer. Obviously, this would nullify what end-to-end encryption is because servers shouldn’t expose contents, even when exposed.
Can it be identified?
The researchers explained that since the attacker has control of the WhatsApp server, he/she could even manipulate the server to block out any messages in the group. This would include messages asking about the new member and even those that say to be wary of the newcomer.
Are WhatsApp servers really that unsecured?
Well, according to WhatsApp, owned by Facebook, WhatsApp servers can only be controlled by staff, Governments who legally demand access, and high-level hackers. This doesn’t really help in calming down the masses. Of course, in Sri Lanka, most people don’t really understand or realize the issue of privacy. In addition, the data protection act is not strictly enforced but it’s still a bit of a cause for alarm. It is quite unsettling to know that a government agent could just join a private group you’re in and just listen along to what’s happening.
Following the presentation of the researchers at the forum, a WhatsApp spokesperson explained that the privacy and security of users is a top concern of theirs. In reality, an attack of this nature is bound to be uncovered sooner or later. Despite the sheer number of members in a group, someone is bound to notice an unexpected “guest” in their group.
It’s apparently “theoretical”
WhatsApp staff have also notified the researchers that they have fixed one component of the encryption so that future messages would not be infiltrated by unknown parties. They also told the researchers that the group invitation bug was “theoretical” and would not qualify for Facebook’s bug bounty program. This is where researchers are paid to report hack able flaws in the company’s software.
Overall, even if this sort of attack is possible or not, it always helps to keep a keen eye on the members of any WhatsApp group you’re in. If you notice anyone who should not be there, immediately notify the group admin. If you are the group admin, make sure you’re familiar with everyone in the group.