WhatsApp, Signal group chats not as secure as users might believe

WhatsApp, Signal group chats not as secure as users might believe

Security researchers have discovered a method of infiltrating group chats in WhatsApp, effectively rendering the chat tool's end-to-end encryption useless. We built WhatsApp so group messages can not be sent to a hidden user. The problem was uncovered by a group of German cryptographers who presented their findings at the Real World Crypto security conference in Switzerland.

According to the report, the attack on WhatsApp group chats takes advantage of a bug. WhatsApp has since confirmed this flaw, but they also told WIRED that no one can secretly add group members without the knowledge of the other members in the group.

Group chat app Signal was found to have the same problem as WhatsApp, but as well as controlling the server the attacker also needs to know the chat's Group ID - which is nearly impossible to know without having physical access to one of the phones in the message thread. In a statement to Wired, the company said, "We've looked at this issue carefully..."

The report was quick to ring the bell at the house of WhatsApp's daddy Facebook.

So far, we have been led to believe that end-to-end encryption in mobile phones and messaging apps like iMessage, WhatsApp and Telegram ensures that messages sent and received by users are so well scrambled that the services themselves can not access or read them. So they highlighted that any person who controls the app' servers could get the access the WhatsApp group chat.

Moxie Marlinspike, a security researcher who developed Signal, which licenses its protocol to WhatsApp, said that the current app design is reasonable, and that the report only sends a message to others not to "build security into your products, because that makes you a target for researchers, even if you make the right decisions".

Mobile offers BOGO deal on iPhone 8, $700 off for iPhone X
Should you only need one new phone, T-Mobile is also offering a up to $150 rebate on top Samsung and LG smartphones. And T-Mobile is taking specific aim at Verizon subscribers.

"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them", Paul Rosler, one of the Ruhr University researchers quoted.

Despite the service's end-to-end encryption, experts say hackers can insert people into WhatsApp groups without the permission of the chat's admin. However, this potential gap in security should serve as a reminder for businesses and users to keep a close eye on their encryption services and their cryptographic keys, ' he adds.

The best way for Sun readers to stay safe from this exploit is to always be mindful of who else is in your WhatsApp group.

Facebook-owned WhatsApp added end-to-end encryption to every conversation two years ago. Also, if the attacker controls the server, he or she can block the messages sent by users who might question the new addition or warn others about it.

This is because a notification does go through that a new, unknown member has joined the group, alerting people of the new unknown member.

All WhatsApp conversations are end-to-end encrypted, which means no outside party is allowed to snoop on a chat. An experienced hacker would first have to compromise the servers before adding an eavesdropper to the group.

Related Articles