WhatsApp flaw allows hackers spy on user’s group chats

Sheetal Sukhija - Friday 12th January, 2018

CALIFORNIA, U.S. - Researchers have issued a warning about a security flaw found in the encrypted mobile messaging service WhatsApp.

The researchers have pointed out that the flaw could enable hackers to spy on private group chats.

According to their findings, the vulnerability enables anyone with access to WhatsApp servers to join a private group or insert others without the permission of the chat’s administrator.

According to cryptographers from Ruhr University Bochum in Germany pointed out that once a new member was added to a group, the phone number of each member of the group automatically shares secret keys with that person, giving them full access to all future messages.

In one instance, the researchers pointed out that the flaw raises concerns that sensitive conversations, such as the WhatsApp group set up by women at Westminster to discuss alleged sexual harassment by MPs, could be infiltrated by outsiders.

The researchers pointed out that it appears as though the infiltrating member had the permission of the administrator to join and is particularly risky in large groups with multiple administrators that have new members joining and leaving regularly.

One of the researchers, Paul Rösler said in a statement, “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them.” 

In their research paper, they recommend that users who want absolute privacy should use the alternative encrypted messaging app Signal or restrict their WhatsApp use to private messaging to ensure privacy. 

Further, they have advised WhatsApp to introduce an authentication mechanism for new group invitations.

In the report, Matthew Green, a cryptographer professor at Johns Hopkins University, said, “If you build a system where everything comes down to trusting the server, you might as well dispense with all the complexity and forget about end-to-end encryption. It’s just a total screw up. There’s no excuse.”

However, WhatsApp owner Facebook has dubbed the findings of the research “scary headlines.” 

Alex Satmos, the company’s chief security officer said on Twitter, “[T]here is no secret way into Whatsapp Group chats. Everyone in the group would see a message that a new member had joined.”

According to Stamos, the organization had considered the research and claimed that following the researchers’ recommendations would “necessitate a change to the way WhatsApp provides a popular feature called group invite links – which are used millions of times per day.”

The researchers, however, claim that once hackers have access to a conversation they could also use the server to block and hide certain messages posted to the group, including those that question their membership.

In 2016, WhatsApp introduced end-to-end encryption for its two billion users in response to the growing consumer desire for privacy. 

However, there are other messaging apps too, including Threema and Signal that offer a similar service.