At the Real World Crypto security conference in Switzerland, a group of German researchers announced that they have discovered flaws in WhatsApp’s end-to-end encryption. The researchers say that anyone who controls WhatsApp’s servers can add people to private group chats, without getting the admin’s permission. Anyone who controls the app’s servers could insert new people into private group chats without needing admin permission.
Researchers the flaw in WhatsApp can allow anyone who controls the platform’s servers to add new people to a private group without needing permission from the group chat’s administrator to enter the conversation. That flaw means that hackers who may break into WhatsApp servers could take advantage of that bug and infiltrate group chats. The impostor could also block messages like questions or requests.
However, the paper goes on to explain how someone infiltrating a group would be able to remain unnoticed by the members after entering the group. The WhatsApp server can, therefore, use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group read their content first and decide in which order they are delivered to the members.
Stamos objected to the report stating that there are multiple ways to check and verify the members of a group chat. He argued that since all members of a group chat can see who joins a chat they’ll be notified of any eavesdroppers. It’s also worth asking what a redesigned secure WhatsApp would look like without this flaw. According to Stamos if the app were to be redesigned, that would diminish how easy it is to use.
On WhatsApp, existing members of a group are notified when new people are added. WhatsApp is built so group messages cannot send to hidden users and provide multiple ways for users to confirm who receives a message prior to it being sent. He added that the report has been looked at carefully, and while there may be a way to add more protection, it’s not clear-cut.