Researchers claim to find a way to infiltrate WhatsApp Group chats
According to researchers, anyone who has control of WhatsApp servers can infiltrate private group chats, despite the end-to-end encryption.
A team of German cryptographers claims to have discovered flaws in WhatsApp Group chats despite the end-to-end encryption technology the instant messaging platform uses. Researchers claim the flaw makes it possible for anyone to infiltrate private group chats without admin permission. WhatsApp, however, has turned down the claim.
According to a report in Wired.com, the cryptographers from Ruhr University Bochum in Germany announced this at the "Real World Crypto Security Conference" in Zurich, Switzerland, on Wednesday.
"Anyone who controls the app's servers could insert new people into private group chats without needing admin permission," the report said, citing cryptographers.
"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them," Paul Rosler, one of the Ruhr University researchers, was quoted as saying.
The WhatsApp attack on group chats takes advantage of a bug. "Only an administrator of a WhatsApp group can invite new members, but WhatsApp doesn't use any authentication mechanism for that invitation that its own servers can't spoof," the report said.
So the server can simply add a new member to a group with no interaction on the part of the administrator.
"The phone of every participant in the group then automatically shares secret keys with that new member, giving him or her full access to any future messages," the report added.
With over 1.2 billion monthly active users, WhatsApp is available in more than 50 different languages around the world and in 10 Indian languages.
Facebook-owned WhatsApp added end-to-end encryption to every conversation two years ago.
According to the researchers, once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group.
"He can cache all the message and then decide which get sent to whom and which not," Rosler said.
Responding to the report, WhatsApp said, "We've looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted."
Facebook's Chief Security Officer Alex Stamos in a Twitter thread said that it was impossible for anyone to infiltrate WhatsApp's private groups.
"WhatsApp has looked at the report carefully - following the researcher's plan would necessitate a change to the way WhatsApp provides a popular feature called group invite links - which are used millions of times per day," he said in one of the tweets.
In sum, the clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping. The content of messages sent in WhatsApp groups remain protected by end-to-end encryption.— Alex Stamos (@alexstamos) January 10, 2018
Security researcher Moxie Marlinspike in a forum post explained how WhatsApp group messaging works.
"If someone hacks the WhatsApp server, they can obviously alter the group membership. If they add themselves to the group: 1. The attacker will not see any past messages to the group; those were e2e encrypted with keys the attacker doesn't have. 2. All group members will see that the attacker has joined. There is no way to suppress this message," he wrote.
"Given the alternatives, I think that's a pretty reasonable design decision, and I think this headline pretty substantially mischaracterizes the situation. I think it would be better if the server didn't have metadata visibility into group membership, but that's a largely unsolved problem, and it's unrelated to confidentiality of group messages," he added.
"In contrast, Telegram does no encryption at all for group messages, even though it advertises itself as an encrypted messenger, and even though Telegram users think that group chats are somehow secure. An attacker who compromises the Telegram server can, undetected, recover every message that was sent in the past and receive all messages transmitted in the future without anyone receiving any notification at all."
(With inputs from IANS)