German cryptographers have found a way to infiltrate WhatsApp’s group chats despite its end-to-end encryption.
Researchers announced they had discovered flaws in WhatsApp’s security at the Real World Crypto security conference in Switzerland, Wired reports. Anyone who controls the app’s servers could insert new people into private group chats without needing admin permission.
Once a new person is in, the phone of each member of that group chat automatically shares secret keys with that person, giving them full access to all future messages, but not past ones. It would appear as if the new member had the permission of the admin to join.
“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Paul Rösler, one of the researchers told Wired. The researchers recommend in their paper that summarizes their findings that users who rely on absolute privacy should stick to Signal or individual private messaging.
On the surface level, WhatsApp, which is owned by Facebook, looks to have a pretty big security flaw. But how easy can it be to gain access to the WhatsApp servers? The WhatsApp servers can only be controlled by staff, governments who legally demand access, and high-level hackers.
Facebook’s Chief Security Officer Alex Stamos responded to the report on Twitter, saying, “Read the Wired article today about WhatsApp – scary headline! But there is no [sic] a secret way into WhatsApp groups chats.”
Stamos objected to the report, stating that there are multiple ways to check and verify the members of a group chat. He argued that since all members of a group chat can see who joins a chat, they’ll be notified of any eavesdroppers. It’s also worth asking what a redesigned, secure WhatsApp would look like without this flaw. According to Stamos, if the app were to be redesigned, that would diminish how easy it is to use.
Moxie Marlinspike, a security researcher who developed Signal, which licenses its protocol to WhatsApp, said that the current app design is reasonable, and that the report only sends a message to others not to “build security into your products, because that makes you a target for researchers, even if you make the right decisions.”