WhatsApp attackers can secretly add new members to group chats, research finds

Share

And once that new person is added, the phone of each member of that chat group automatically shares secret keys with that person, giving them full access to all future messages, but not past ones.

But experts from Ruhr University Bochum in Germany said snoopers with access to WhatsApp's servers could potentially invite new members into other peoples' chats, allowing them to listen to their conversation.

This is because a notification does go through that a new, unknown member has joined the group, alerting people of the new unknown member. So, a newly added eavesdropper can easily read all the new end-to-end encrypted messages exchanged between the members.

"When an administrator wishes to add a member to a group, it sends a message to the server identifying the group and the member to add". However, an admin is the only one who can invite new members to the group, but WhatsApp doesn't have a mechanism to authenticate that invitation which its own server can spoof.

WhatsApp is an instant messaging platform which is preferred by millions of users across the globe, thanks to the clean user interface.

Encryption has always been one of the more hard elements of group chat; the best protection in the world can not stop unintended readers from seeing messages once they've been decoded.

Signal handles group management a bit differently.


The vulnerabilities found in Threema and Signal are relatively harmless compared to the problems researchers found with WhatsApp, because of the relative ease with which new people can be inserted into private groups without any permission.

He objected to the report saying that WhatsApp has multiple ways to check and verify members in a group chat. It plays an important role in securing apps against three types of attackers including, a malicious user, network attacker, and malicious server. "The reason is that in order to add someone to your group, I need to know the group ID". But there is no [sic] a secret way into WhatsApp groups chats'.

In Threema, only the creator of a group is the administrator, each group has a unique ID, and all group messages contain this ID.

Moxie Marlinspike, a security researcher who developed Signal, which licenses its protocol to WhatsApp, said that the current app design is reasonable, and that the report only sends a message to others not to "build security into your products, because that makes you a target for researchers, even if you make the right decisions".

"We haven't entirely achieved this yet, thanks to things like key servers". WhatsApp has confirmed the findings, but doesn't think it's a major security issue.

Hackers and spies could secretly eavesdrop on your private WhatsApp conversations, security researchers have claimed. Also, the spokesperson noted, administrators could warn users about the new, unauthorized addition via private messages. Especially when governments legally coerce information out of them.

Share