WhatsApp Vulnerability Allows Attackers To Be Inserted Into Encrypted Chats
WhatsApp, with its billion users around the globe and a claim of security thanks to end-to-end encryption on all chats, faces a new security kerfuffle today with one group of researches claiming that supposedly secure group chats are not quite as secure as we might have hoped.
A group of researchers from the Ruhr University Bochum in Germany claim to have found security flaws in a number of messaging clients, with the one relating to WhatsApp potentially allowing people to be inserted into secure chats without anyone knowing it is happening.
According to the group, anyone who has control of WhatsApp servers could insert people into private group chats without even the administrator of those chats being aware. The administrator is essentially the owner of the chat and the person with overall control, but if even they would not be aware of the interloper, nobody would. The group spoke with Wired ahead of the Real World Crypto security conference in Zurich, Switzerland, during which it will share its findings.
“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” says Paul Rösler, one of the Ruhr University researchers who co-authored a paper on the group messaging vulnerabilities. “If I hear there’s end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little.”
Of course, the chances of this being a security issue we need to truly worry about are fairly small given the requirement for someone to have access to WhatsApp’s servers for this to be exploited. However, a disgruntled employee is not beyond the realms of possibility, and it is, of course, known for companies, services, and servers to be compromised.
If anything like that was to happen, all bets are off and our secure group chats are fair game. That alone should be enough to worry most people, and certainly enough to make WhatsApp itself sit up and take notice.