German researchers have uncovered a flaw in WhatsApp’s security that could potentially allow hackers to infiltrate group chats on the encrypted message service. But according to the Chief Security Officer of Facebook, which owns WhatsApp, users have nothing to worry about.
However, it is not the first time WhatsApp’s encryption has been called into question and when digging into the details, this latest problem is likely to concern a sizable proportion of WhatsApp users.
The revelations were made at the Real World Crypto security conference in Switzerland and subsequently reported in Wired. The researchers, who are from the Ruhr University Bochum, also identified relatively harmless flaws in the Signal and Threema encrypted messenger services, but it was the WhatsApp ones which were most concerning.
How to add unauthorised new members to a WhatsApp group
According to the researchers, it is possible for anyone who is in control of the WhatsApp servers to add new people to private chat groups without needing admin permission to do so.
Once they have been added, the new person will be in receipt of secret keys from each member of the group which will allow them to see all future messages sent in the group. They will be treated in the same way as a new member who was added with admin permission.
As one of the researchers, Paul Rösler, told Wired, “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them.”
In their research paper, the group claims that this is a significant security flaw and conclude that anyone who is dependent on absolute security from their encrypted messenger service would be advised to use another service such as Signal or individual private messaging.
However, the extent of the flaw does obviously depend on who might be able to take control of WhatsApp servers in order to exploit the flaw.
This is obviously not a simple process and it seems likely that the only ones ever likely to have that power would be WhatsApp and Facebook staff, Governments who demanded access through the proper legal channels, or the handful of serious hackers that might be able to breach WhatsApp security.
For some users, that small group will still be enough to have them worried. For example, WhatsApp is used by many groups opposing authoritarian regimes around the world, so the idea that these governments might be able to exploit this flaw and compromise their private groups will be a big concern.
Facebook denies severity of the flaw
But Alex Stamos, the Chief Security Officer of Facebook, which owns WhatsApp denied that this was a major security flaw. Writing on Twitter, he said, “Read the Wired article today about WhatsApp – scary headline! But there is no [sic] a secret way into WhatsApp groups chats.”
He went on to point out that whenever a new member joins a group, other members would get a message notifying them. This, he argues, means it is not possible for groups to have secret hidden members.
“The clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping. The content of messages sent in WhatsApp groups remain protected by end-to-end encryption.”
However, other security experts with a more impartial perspective disagree. The article in Wired quoted Matthew Green, a cryptography professor at Johns Hopkins University, saying, “If you build a system where everything comes down to trusting the server, you might as well dispense with all the complexity and forget about end-to-end encryption. It's just a total screwup. There's no excuse.”
He went on to point out that once in a group, a new member would be able to block messages questioning their addition to the group. They could also spoof messages which suggest that another admin had approved the new member.
WhatsApp’s cavalier response
WhatsApp was informed of the bug last July, but their response to the researchers was far from satisfactory. They described the bug as being “theoretical”, refused to hand over the bounty they offer to security researchers who identify bugs in their software.
The researchers have identified a simple fix, which would involve WhatsApp adding an authentication mechanism for new group invitations. But Alex Stamos dismissed this suggestion, claiming it “would necessitate a change to the way WhatsApp provides a popular feature called group invite links – which are used millions of times per day.”
So, it appears that WhatsApp is intent on digging their heels in on this particular issue. It is a bug which will not be of huge concern to many users, but for those who are members of big groups for which privacy is a vital concern, it will definitely be a worry.
Some will undoubtedly move to other encrypted messaging service which do not have such a flaw, such as Signal. Those that don’t should ensure they are using a VPN. But even if these numbers are relatively small, there is no doubt this problem, and the cavalier response WhatsApp have given it, has damaged their reputation as a secure messaging app which can guarantee user privacy.