Skip to content

January 11, 2018

Whatsapp servers can be compromised to add people to private groups

by John_A

Messaging service Whatsapp made headlines in 2016 when it introduced end-to-end encryption to every message sent through the service, whether text, photo or video. Clearly security is a priority for the company. That’s why it’s so surprising that researchers have discovered a significant security flaw: Anyone in control of a Whatsapp server can add people to a private group with minimal effort, as reported by Wired.

The findings will be presented Wednesday at the Real World Crypto conference in Zurich. A group of researchers from Ruhr University probed multiple messaging apps for security flaws. They didn’t have any major findings with Signal and Threema. Whatsapp was a different story, which you can read in the paper they published on the topic.

“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Paul Rösler, one of the paper’s coauthors, told Wired. End-to-end security protection doesn’t mean nearly as much when someone at the company can simply drop a new person into a private chat anytime they want. While usually, the administrator of a group is the only one who can invite a new person to a private chat, there isn’t a mechanism currently in place to authenticate that invitation. Once a person is invited, old messages will remain encrypted, but new ones will be available to the new member.

Now, it’s important to note the limits of this security flaw: Whoever was exploiting it would have to be in control of the messaging app’s servers. But if a server is indeed compromised, it’s not good news. WhatsApp noted to Wired that a notification would go out to all members if someone new were added to a group, so it’s not possible to add someone to a private chat and keep it a secret, but the fact that the possibility exists isn’t great in terms of security.

Via: Gizmodo

Source: Wired, iacr.org

Advertisements
Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: