A WhatsApp security flaw let researchers snoop on group chat messages

A WhatsApp security flaw let researchers snoop on group chat messages

Anyone who controls the app's servers could insert new people into private group chats without needing admin permission.

According to WABetaInfo, a fan site that tests new WhatsApp features early, the new option, present in the Group Info section as "Dismiss as admin", allows an administrator to dismiss another one without removing him or her from the group. The flaw takes advantage of an issue in how WhatsApp handles group chats.

"Only an administrator of a WhatsApp group can invite new members, but WhatsApp doesn't use any authentication mechanism for that invitation that its own servers can't spoof", the report said. The server authenticates the administrator, confirms that they have the proper authority to add/remove members from that group, and then sends a signal to all of the members which notifies them that a new member has been added to their mutual group. WhatsApp is a widely used messenger and is available in more than 60 different languages which include 10 Indian languages. "Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members". However, the representative admitted research findings but added that if someone new would be added to the group chat, every other member, including the admin, would be alerted about it.

In their paper, the researchers compared WhatsApp's security practices with those of Signal and Threema, and they ultimately concluded that WhatsApp is the least secure of the three when it comes to group messages. It supports voice and video, and starting this week, WhatsApp's enabling a new feature in the latest Android beta version that lets users switch between voice and video during an active call. Prior messages can not be read by the new, uninvited member. According to them, the intrusion can be carried out by anyone who could controls app's servers.

More news: Nancy Kerrigan Has Nothing To Say About 'I, Tonya'
More news: 'I probably have a very good relationship with Kim Jong Un'
More news: Lok Sabha passes Bill that criminalises triple talaq

However, if a hacker manages this feat, they could drop into any group chat and read all future messages.

Now, it's important to note the limits of this security flaw: Whoever was exploiting it would have to be in control of the messaging app's servers. Since the group ID is a random 128-bit number (and is never revealed to non-group-members or even the server) that pretty much blocks the attack.

Facebook's Chief Security Officer Alex Stamos wrote on Twitter that the bug is not effective because WhatsApp users are notified when new members join conversations.

This is a big problem, because WhatsApp prides itself on end-to-end encryption for its messages.