In the years Whatsapp has invested heavily in user data security. Two-factor authentication and end-to-end conversation encryption have been introduced thanks to Open Whisper Systems. Above all, the latter decision allowed to improve privacy and to protect from hackers.

The turnaround of introducing end-to-end encryption within the application has been welcomed by both users and experts. The use of the end-to-end encryption it should suggest that user data is safe and that no one can intrude on their conversations. But in reality it is not so. This is what emerges from research conducted from the Ruhr University of Bochum (in Germany) who discovered the presence of a do it inside the WhatsApp servers.

What the researchers found

The study was presented during the Real World Crypto security conference and was immediately talked about a lot.

The research found flaws in three instant messaging applications: WhatsApp, Signal and Threema. While the problems encountered in the last two apps are easy to fix, the WhatsApp bug it would potentially endanger all group conversations. According to the researchers, a flaw would allow everyone with access to WhatsApp servers to add people to group conversations, without asking the administrators for consent. Due to this bug, hackers could enter chats without anyone noticing and start collecting user data.

Access to WhatsApp servers would allow hackers to have absolute control over group conversations. When you add someone to a chat, a message appears inside the chat, warning other users. If an attacker was adding the user through tampering at the server level, a group administrator may warn other users that he has not added anyone. But if the group is very active, the message of adding a new user may escape in 99% of cases. By controlling the servers directly, hackers also have other powers. For example, they can decide which messages to show in the chat and also send different messages to group administrators. In this way, the intrusion goes almost unnoticed and the attackers can safely collect people's data.

Whatsapp on alert

Researchers at the University of Ruhr said they warned WhatsApp in July last year, but the staff of the instant messaging application did not consider the bug important enough to deserve the cash reward that Facebook offers to all those who discover a do it on one of its platforms. Some WhatsApp employees have confirmed the problem to Wired, but have emphasized the fact that when adding a new member in a chat, all users are warned via a message. And this would secure user data.

How to solve the problem

According to scholars, the problem could be solved easily, it would be enough for WhatsApp to make a simple modification. Add some sort of two-factor authentication to add a user to a new group: a key owned only by the group administrator. We will see if WhatsApp decides to follow the researchers' advice.