Whatsapp, a flaw endangers group chats
According to a study conducted by researchers at Ruhr University Bochum, hackers can add people to group chats on WhatsApp.
In the years Whatsapp has invested heavily in user data security. It introduced two-factor authentication and end-to-end encryption of conversations thanks to Open Whisper Systems. This last step, in particular, has improved privacy and protected against hackers.
The breakthrough of introducing end-to-end encryption within the application has been welcomed by both users and experts. The use of end-to-end encryption It should make people think that users' data is safe and that no one can interfere with their conversations. But in reality, this isn't the case. This is what a study conducted from Ruhr University Bochum (in Germany) who discovered the presence of a flaw within WhatsApp servers.
What the researchers found
The study was presented at the Real World Crypto security conference and immediately became a talking point.
The research found flaws in three instant messaging applications: WhatsApp, Signal and Threema. While the problems encountered in the last two apps are easy to fix, the WhatsApp bug It would potentially jeopardize all group conversations. According to researchers, a flaw would allow anyone with access to WhatsApp servers to add people to group conversations without asking administrators' permission. This flaw would allow hackers to gain unnoticed access to chats and begin collecting user data.
Access to WhatsApp servers would give hackers complete control over group conversations. When someone is added to a chat, a message appears within the chat, alerting other users. If a hacker added the user by tampering with the server, a group administrator could alert other users that they haven't added anyone. However, if the group is very active, the message about a new user's addition could occasionally slip through the cracks. By directly controlling the servers, hackers also have additional powers. For example, they can decide which messages are displayed within the chat and even send different messages to group administrators. This way, the intrusion goes virtually unnoticed, allowing attackers to easily collect people's data.
Whatsapp on alert
Researchers at Ruhr University said they notified WhatsApp in July last year, but the messaging app's staff didn't consider the bug significant enough to merit the financial reward Facebook offers to anyone who discovers a flaw in one of its platforms. Some WhatsApp employees confirmed the issue to Wired, but emphasized that when a new member is added to a chat, all users are notified via a message. This would protect user data.
How to solve the problem
According to the researchers, the problem could be easily solved by WhatsApp making a simple change. Adding a sort of two-factor authentication to add a user to a new group: a key held only by the group administrator. We'll see if WhatsApp decides to follow the researchers' advice.