German researchers have claimed there is a way to infiltrate WhatsApp’s group chats and listen on private messages, despite its end-to-end encryption.
It seems that anyone who controls WhatApp’s servers could insert new people into private group chats without needing admin permission.
But one Facebook official has hit back at the claim, and said that any members of a chat group would be notified if a new member joined, and there was no secret way into WhatsApp chats.
Researchers from the Ruhr University Bochum in Germany had announced they had discovered flaws in WhatsApp’s security at the Real World Crypto security conference in Switzerland, according to Wired.
That report stated that the researchers had found flaws in WhatsApp, to make infiltrating the app’s group chats much easier than ought to be possible. It cited the researchers as saying that anyone who controls WhatsApp’s servers could effortlessly insert new people into an otherwise private group.
This can apparently be done even without the permission of the administrator who controls access to that conversation.
And once that new person is added, the phone of each member of that chat group automatically shares secret keys with that person, giving them full access to all future messages, but not past ones.
“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Paul Rösler, one of the researchers told Wired.
But there are a few issues with the researchers claims.
Firstly, control of WhatsApp servers tends to be only possible by Facebook (which owns WhatsApp), and governments who can demand access to the servers.
Or course, there is a possibility that hackers could gain control of WhatsApp servers, but this is somewhat unlikely.
And Facebook’s Chief Security Officer Alex Stamos took to Twitter to rubbish the claims. “Read the Wired article today about WhatsApp – scary headline! But there is no [sic] a secret way into WhatsApp groups chats,” he tweeted.
Essentially, Stamos said the researchers report was flawed, as no one can secretly add a new member to a group.
This is because a notification does go through that a new, unknown member has joined the group, alerting people of the new unknown member.
He also said there are multiple ways to check and verify the members of a group chat.
“In sum, the clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping,” Stamos tweeted. “The content of messages sent in WhatsApp groups remain protected by end-to-end encryption.”
Silicon UK approached both WhatsApp and Facebook for comment, but received no reply at the time of writing.
WhatsApp’s security has faces security questions before.
In 2015 the 200 million users of the WhatsApp Web service were warned they could be at risk of having malware installed on their machines without them knowing, after security experts at Check Point found an exploit that could allow attackers to trick victims into executing malware on their machines.
That same year, WhatsApp earned just one star out of a possible five for security in the Electronic Frontier Foundation’s (EFF) annual ‘Who has your back?’ security report.
WhatsApp had earned just one star because it failed to earn stars on disclosing government-issued data requests, disclosing policies on data retention, and following industry-accepted best practices for security.
And then last year, both WhatsApp and Telegram said they had patched ‘severe’ vulnerabilities, after Check Point flaws associated with the web versions of the chat applications.
That came after WikiLeaks published sensitive US intelligence data that revealed that American spy agencies such as the CIA supposedly had the ability to bypass the encryption on WhatsApp, Telegram and Signal.
Do you know all about security in 2017? Try our quiz!