Thursday, 15 November 2018
Latest news
Main » WhatsApp security loophole can add uninvited members to your groups

WhatsApp security loophole can add uninvited members to your groups

11 January 2018

WhatsApp introduced end-to-end encryption to assure users that their conversations can not be accessed, even if the company providing it so desires. "If not, the value of encryption is very little".

After an initial story was published by Wired Facebook's chief security officer, Alex Stamos tweeted that it was not possible to access WhatsApp group chats.

So the server can simply add a new member to a group with no interaction on the part of the administrator.

Computer researchers have discovered a set of flaws in WhatsApp that could allow uninvited individulals into private group chats.

"The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group".

Wired confirmed the researchers' findings with a WhatsApp spokesperson.

The vulnerabilities found in Threema and Signal are relatively harmless compared to the problems researchers found with WhatsApp, because of the relative ease with which new people can be inserted into private groups without any permission.

WhatsApp is likely to give group administrators more powers where they will be able to restrict all other members from sending text messages, photographs, videos, GIFs, documents or voice messages in case the admin thinks so.

The attack apparently takes advantage of a bug in how WhatsApp handles group chats - in that while only the administrator of a group can invite new members the platform does not use any authentication mechanism for an invitation that its own servers cannot spoof. It would appear as if the new member had the permission of the admin to join.

According to the researchers, once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group.

Moxie Marlinspike from Signal, upon whose open-source security protocol WhatsApp is built upon argued - "That If someone hacks the WhatsApp server, they can obviously alter the group membership" but if they do add themselves to a group then, "The attacker will not see any past messages to the group; those were e2e encrypted with keys the attacker doesn't have and all group members will see that the attacker has joined". However, this is a security hole that can not be excused, claims the report.

In their paper titled More is Less: On the End-to-End security of group chats in Signal, WhatsApp and Threema, they have outlined a series of flaws that allows an impostor to invade your group chats or worse yet, control who gets added or deleted to the group. End-to-end encryption offered by WhatsApp should be applicable on the server level to prevent such issues.

According to WABetaInfo, a fan site that tests new WhatsApp features early, the popular mobile messaging platform has submitted the "Restricted Groups" setting via Google Play Beta Programme in the version 2.17.430.

WhatsApp security loophole can add uninvited members to your groups