Security researchers have revealed details of a vulnerability in WhatsApp’s security that could be used to compromise the secrecy of encrypted group chats on the messaging platform.
At the Real World Crypto security conference Wednesday in Zurich, Switzerland, a group of researchers from the Ruhr University Bochum in Germany plan to describe a series of flaws in encrypted messaging apps including WhatsApp, Signal, and Threema. The team argues their findings undermine each app’s security claims for multi-person group conversations to varying degrees.
But while the Signal and Threema flaws they found were relatively harmless, the researchers unearthed far more significant gaps in WhatsApp’s security: They say that anyone who controls WhatsApp’s servers could effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation.
The attack apparently takes advantage of a bug in how WhatsApp handles group chats — in that while only the administrator of a group can invite new members the platform does not use any authentication mechanism for an invitation that its own servers cannot spoof.
Once an attacker with access to a WhatsApp server had added a new member to a group the phone of every participant would automatically share secret keys with that new member — affording them full access to any future messages.
The team of security researchers, who revealed the flaw to WhatsApp last July, suggest the company could fix the issue by adding an authentication mechanism for new group invitations that uses a secret key that only the administrator possesses to sign those invitations.