WhatsApp group chats can easily be infiltrated, find researchers

WhatsApp group chats can easily be infiltrated, find researchers

WhatsApp group chats can easily be infiltrated, find researchers

At the recent Real World Crypto security conference in Zurich, Switzerland, cybersecurity analysts from Ruhr University Bochum in Germany presented a paper about security flaws in encrypted messaging apps including WhatsApp, Signal, and Threema.

As per the research, Signal and WhatsApp fail to properly authenticate that who is adding a new member to the group and it is possible for an unauthorized person, who is not even a member of the group, to add someone to the group chat. Basically, they have found a way to breach WhatsApp's security to infiltrate into group chats despite the end-to-end encryption technology. This is an obvious security concern as all the messages sent after the insertion of the new entity can be intercepted.

Hackers and spies could secretly eavesdrop on your private WhatsApp conversations, security researchers have claimed.

He said that there are multiple ways to verify group chat members, adding that users are notified of anyone new joining, including those without permission. Once an attacker with server control accessed the conversation, he or she could also use it to selectively block any messages in the group, including those that ask questions, or provide warnings about the new entrant.

The fact that those controlling WhatsApp's servers can access group messages destroys the idea of end-to-end encryption which was introduced to ensure that even messaging services won't be able to access individual communications.

Signal handles group management a bit differently.

This is because a notification does go through that a new, unknown member has joined the group, alerting people of the new unknown member.

Super Bowl: Pop star Pink to sing Super Bowl LII national anthem
Pink will get the party started for Super Bowl LII on February 4 in Minneapolis . The singer hinted at a big announcement on her Twitter page over the weekend.

That's good news, because getting direct access to these servers would be extremely hard. "The reason is that in order to add someone to your group, I need to know the group ID".

So if you see someone new entering your group, speak to the other members in private chats to confirm the new person's identity. In such a case, it is impossible for them to share details with enforcement agencies that they themselves can not access.

In Threema, only the creator of a group is the administrator, each group has a unique ID, and all group messages contain this ID. "From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats", company said in its blog post.

The goal of having an end-to-end encryption is to stop trusting the intermediate servers in such a way that even the company or the server that transmits the data can decrypt the messages or abuse the centralized position.

"We haven't entirely achieved this yet, thanks to things like key servers". After all, admins can always tell the others through a new group or inform them through personal messages.

That seems to be enough for them at the moment, especially because a fix for the flaw could end up breaking the convenient "group invite link" feature.

Related news