Researchers Found A Security Flaw in WhatsApp Group Chats

With over 1.2 billion monthly active users, WhatsApp is available in more than 50 different languages around the world. Facebook-owned WhatsApp added end-to-end encryption to every conversation two years ago.

However, a team of cryptographers from Germany’s Ruhr University Bochum have recently revealed details of a vulnerability in WhatsApp’s security that could be used to compromise the secrecy of encrypted group chats on the messaging platform. That’s to say, WhatsApp group chats might not be so secure and can easily be infiltrated without permission of the group admin.

According to the report by these German security researchers, they mentioned that anyone who controls WhatsApp’s servers, including company employees, can covertly add members to any group. From their paper:

5.4 Impact of the Weaknesses’ Combination
The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces.”

They point out that “WhatsApp doesn’t use any authentication mechanism” when a new member is added to the group and this is something its own servers can spoof as well. Someone with control of WhatsApp’s servers can add a new person to a group without administrator even knowing, is what the researchers claim.

For this paper, WhatsApp has acknowledged the issue, but argued that notifications of anyone adding a new member to a group will be sent for sure.  Facebook Chief Security Officer Alex Stamos responded this matter on Twitter. He objected to the report, then saying that WhatsApp has multiple ways to check and verify members in a group chat.

“On WhatsApp, existing members of a group are notified when new people are added. WhatsApp is built so group messages cannot be sent to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent,” Stamos said.