Private conversations beware! Despite end-to-end encryption now being commonplace in WhatApp conversations, German cryptographers have discovered a minor flaw in WhatsApp’s security that could lead to private conversations being gatecrashed by uninvited hackers, bypassing the usual chat admin invitations.
In their paper, More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema, presented to other enthusiasts at the Real World Crypto Symposium in Zurich, Switzerland, the team warned that WhatsApp has no security measures to stop invitations being spoofed from their own servers, leaving a hole that could leave millions of conversations at risk of being snooped on.
But it’s not all bad news. Essentially, the hacker would need to be in control of WhatsApp’s main chat servers — a fairly tall order — and only then would they be able to bypass the group’s administrator and insert users into any conversation. However, anyone who did manage to achieve this would then have near limitless power within the chat, being able to selectively block message visibility from accounts, and even block users from participating in the chat.
However, Facebook-owned WhatsApp doesn’t seem to be too worried about the potential hole in its security. A WhatsApp spokesperson (speaking to Wired) admitted that the flaw was real, but pointed out that there was no way that the added user could be hidden and receive messages from the group. WhatsApp has built-in security measures that stop hidden users from being able to participate in group chats, and anyone who wanted to snoop on a particular chat would find their cover quickly blown when the client announced their arrival to everyone in the chat, making it an inefficient way to spy on users. What’s more, disabling the flaw would likely break the “Group Invite Link” feature that many group chats enjoy — implying that the security issue likely stems from this particular feature.
However, Matthew Green of Johns Hopkins University called WhatsApp’s response “dumb,, likening it to leaving a bank’s vault open and relying on a single security camera to deter criminals. If any really sensitive information was stored in that group chat, then the hacker would have access to it, making WhatsApp’s lauded encryption useless.
WhatsApp has been in the news multiple times for reasons of security. After making all messages sent on its platform fully encrypted in 2016, the chat company has faced criticism from U.K. lawmakers, while action taken by Brazil was of a more serious nature.
- Microsoft and Signal team up to bring end-to-end encryption to Skype
- Instagram users could soon cross-post Stories to WhatsApp
- New pop-up test could help squash spam messages on WhatsApp
- WhatsApp targets small businesses with new app for better communication
- Intel opens bug hunt to all security researchers, offers possible $250K payout