Researchers found a way into WhatsApp group chats — but Facebook says it’s not a problem

Photo by Jaap Arriens/NurPhoto via Getty Images

German cryptographers have found a way to infiltrate WhatsApp’s group chats despite its end-to-end encryption.

Researchers announced they had discovered flaws in WhatsApp’s security at the Real World Crypto security conference in Switzerland, Wired reports. Anyone who controls the app’s servers could insert new people into private group chats without needing admin permission.

Once a new person is in, the phone of each member of that group chat automatically shares secret keys with that person, giving them full access to all future messages, but not past ones. It would appear as if the new member had the permission of the admin to join.

“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Paul Rösler, one of the researchers told Wired. The researchers recommend in their paper that summarizes their findings that users who rely on absolute privacy should stick to Signal or individual private messaging.

On the surface level, WhatsApp, which is owned by Facebook, looks to have a pretty big security flaw. But how easy can it be to gain access to the WhatsApp servers? The WhatsApp servers can only be controlled by staff, governments who legally demand access, and high-level hackers.

Facebook’s Chief Security Officer Alex Stamos responded to the report on Twitter, saying, “Read the Wired article today about WhatsApp – scary headline! But there is no [sic] a secret way into WhatsApp groups chats.”

Stamos objected to the report, stating that there are multiple ways to check and verify the members of a group chat. He argued that since all members of a group chat can see who joins a chat, they’ll be notified of any eavesdroppers. It’s also worth asking what a redesigned, secure WhatsApp would look like without this flaw. According to Stamos, if the app were to be redesigned, that would diminish how easy it is to use.

Moxie Marlinspike, a security researcher who developed Signal, which licenses its protocol to WhatsApp, said that the current app design is reasonable, and that the report only sends a message to others not to “build security into your products, because that makes you a target for researchers, even if you make the right decisions.”

Comments

Not exactly a subtle intrusion though is it, don’t think that the security services will be using this to infiltrate anyone.

Of course they will. They’ll just name the new member "Definitely not the NSA".

The important thing for Facebook and government agencies (Islamic Republic, Chinese Government, Trump Administration etc..) is cataloging who you are talking too and when you talk to them – and they have access to that with Whatsapp by design (although I’m sure the end to end encryption of the messages wasn’t an easy sell to Facebook execs who’d rather have everything to mine).

FFS, when does it stop?. I’m moving back to carrier pigeons and hiding money inside the matters…

So… first you must gain access to the Whatsapp servers… I’m sure if someone manage to hack into Whatsapp servers, eavesdropping group chat would be the least thing to worry about.

Exactly

The problem is, when a government knows a back door is present they have historically put pressure on companies for this access.

When a company can present the request as technologically infeasible such a request is easier to take off the table.

View All Comments
Back to top ↑