Researchers show WhatsApp groups can be hacked

Researchers show WhatsApp groups can be hacked

A team of German cryptographers claims to have discovered flaws in WhatsApp Group chats despite the end-to-end encryption technology the instant messaging platform uses.

WhatsApp has confirmed the researchers' findings but points out that it is not possible to add a new member to a group without members of that group being notified.

The researchers from Ruhr University Bochum in Germany announced this big news at the "Real World Crypto Security Conference" which was held in Zurich, Switzerland, on January 10.

However, if a hacker manages this feat, they could drop into any group chat and read all future messages. Once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group, including those that ask questions, or provide warnings about the new entrant.

"Everyone in the group would see a message that a new member had joined", he argued. As a result, any potential flaw that impacts WhatsApp's privacy is cause for concern, ' says Jing Xie, senior digital security researcher at Venafi. However, an admin is the only one who can invite new members to the group, but WhatsApp doesn't have a mechanism to authenticate that invitation which its own server can spoof.

While messages shared before the attacker enters the group can not be read, it does give the person access to all messages which are shared from this point onward.

Facebook-owned WhatsApp added end-to-end encryption to every conversation two years ago.

The design flaws "allows an attacker ... controlling some of the messages sent by the WhatsApp server, to become a member of the group or add other users to the group without any interaction of the other users", according to their research paper released earlier this month.

Despite WhatsApp's secure end-to-end encryption for messages, German researchers have found a loophole that could allow hackers to worm their way into WhatsApp's group chats. It doesn't look like WhatsApp will be changing its stance anytime soon, so users will just have to keep an eye out for a suspicious new member of a group.

WhatsApp acknowledged the flaw to Wired, although emphasised that adding participants completely covertly is impossible, because of the notification system.

While, the group and the chats themselves have a layer of end-to-end encryption, the servers that the chats run on don't.

But, as it turns out, the Signal protocol does not check whether the message was sent by an actual member of the group, meaning that anyone outside the group can send the message and, consequently, add a new user to the group. The application has been designed in such a way that the group messages can not be sent to any hidden user.

All members of the group usually receive a notification when a new member joins. The privacy and security of our users is incredibly important to WhatsApp. After all, admins can always tell the others through a new group or inform them through personal messages.



Other news