WhatsApp end-to-end security of group chats can be easily hacked: German researchers

Share

As per a report on Wired, German Researchers from the Ruhr University Bochum described a series of flaws in encrypted messaging apps such as WhatsApp, Signal and Threema. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. In the meantime, a team of cryptographers from Germany claims to have uncovered flaws in the security of WhatsApp. "But there is no [sic] a secret way into WhatsApp groups chats", he tweeted. The same security flaw also affects Signal and Threema messaging apps, but not to the degree that WhatsApp is affected according to researchers.

But, as it turns out, the Signal protocol does not check whether the message was sent by an actual member of the group, meaning that anyone outside the group can send the message and, consequently, add a new user to the group.

In contrast, Telegram does no encryption at all for group messages, even though it advertises itself as an encrypted messenger, and even though Telegram users think that group chats are somehow secure. However, in a group conversation, the role of servers increases to merge the entire process and it is here where the vulnerability lies - trusting the company's servers to manage group members, who have full access to a group conversation, and their actions, The Hacker News reports. That immediately limits the potential of the exploit to employees, sophisticated hackers or governments who can convince the firm to give them access - but the risk is still there, and rather negates the value of WhatsApp's encryption. According to the paper, anyone who controls WhatsApp's servers can insert new people into an otherwise private group even without the permission of the administrator. Only the administrator of a WhatsApp group can invite new members, but WhatsApp doesn't use any authentication mechanism for that invitation that its own servers can't spoof. However, with Signal, an impostor would need to control the Signal server, and would need to know the Group ID and the phone number of one member, researchers said in the paper.

"We've looked at this issue carefully", the spokesperson added. In such a case, it is impossible for them to share details with enforcement agencies that they themselves can not access.

Razer's Project Linda is a prototype laptop shell for the Razer Phone
That said, Razer's intent is to provide "enhanced productivity and differentiated gaming experiences" with Project Linda . More than 4,000 companies compete for accolades at CES , the world's most prestigious tech tradeshow.

WhatsApp is adding numerous features to its platform to enhance the user experience.

"Existing members are notified when new people are added to a WhatsApp group", the platform said. "There is no way to suppress this message". The attacker will not see any past messages to the group; those were e2e encrypted with keys the attacker doesn't have. 2.

The main problem is this: end-to-end encryption, which all of these messaging apps purport to offer, should not depend on uncompromised servers.

Share