2018 hasn’t so far been a year for security. After Intel, now WhatsApp is facing a security flaw that could expose encrypted group chats. German security researchers from Ruhr University have unveiled the flaw in the most famous messaging application, WhatsApp. They have found a way to gain access to WhatsApp group chats despite the end-to-end encryption. One of the Ruhr University researchers said, ” The confidentiality of the group is broken as soon as the uninvited member can obtain all the messages and read them.”This means that this flaw could allow a person, who has control over the WhatsApp servers, to add anyone to a WhatsApp group without the admin’s permission.
Once the person is added to the group, then the encryption keys of all the group members are automatically shared with the new user. This gives him access to read all the end-to-end encrypted messages in the group. If such an attack were to occur, the person shall have complete control over the WhatsApp servers which is practically not possible as only the company’s employees and the governments, who are willing to conduct surveillance programs will only have access to the WhatsApp servers.
This report didn’t take time to reach WhatsApp’s daddy, Facebook. Within no time, Facebook’s Chief Security Officer, Alex Stamos, made several tweets in response to the report.
“Read the Wired article today about WhatsApp – scary headline! But there is no secret way into WhatsApp groups chats. The article makes a few points,” goes the first tweet.
He further adds that ” Everyone in the group would see a message that a new member had joined.” But the question is, can it be considered as a security measure?
Alex Stamos further justifies by saying that, “WhatsApp is built so group messages cannot be sent to hidden users and provide multiple ways for users to confirm who receives a message prior to it being sent.”
Alex Stamos added that WhatsApp has looked into the report very carefully. He said that if this attack were to be prevented, it would possibly change the way of a popular feature WhatsApp has added called the group invite links which allows anyone with a link to join a WhatsApp group.
According to the developer of Signal protocol, contradictory to the researchers’ claim, it is not possible to suppress the alert messages when someone joins a group which explains that it is not easy to hack the servers and sneak into the group chats.