A team of German cryptographers say they have found a flaw in WhatsApp's security that allowed them to bypass the chat app's end-to-end encryption and eavesdrop on group chat messages. The flaw here is obvious: since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group.
WhatsApp said it had "carefully looked" at the flaw and reassured users that their encrypted messages were safe.
"Existing members are notified when new people are added to a WhatsApp group", the platform said. The concern raised here is that in groups with multiple administrators, the user can send out messages to multiple admins, fooling them about who invited the user. It supports voice and video, and starting this week, WhatsApp's enabling a new feature in the latest Android beta version that lets users switch between voice and video during an active call. "And if not, the value of encryption is very little", further added Paul Rosler.
Facebook-owned WhatsApp added end-to-end encryption to every conversation two years ago.
Have you ever been bombarded with hundreds of notifications from a WhatsApp group, and chose not to read any simply because there were tons of messages and majority did not seem to matter to you? The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. That person manages the addition and removal of members, setting group policy and deleting the group chats itself. I think it would be better if the server didn't have metadata visibility into group membership, but that's a largely unsolved problem, and it's unrelated to confidentiality of group messages.
This is useful if you are in a group where there are hundreds of message at any given time. The big draw to the app for many is that it has an encrypted group chat feature, so you don't need to worry that someone is listening in on what you are saying. However, in case he does not notice, the group is compromised. The new feature will allow the admin to demote his fellow without removing him from the group.
According to the Wired report, the researchers pointed out a bug in WhatsApp's authentication system.
Open Whisper Systems, the creators of Signal, told Wired that they are now redesigning how Signal handles group messaging, but did not share any more than that.
"While our investigation focuses on three major instant messaging applications, our methodology and the underlying model is of generic goal and can be applied to other secure group instant messaging protocols as well", researchers concluded in the paper.