WhatsApp has been applauded for adding end-to-end encryption on its platform to secure conversations of its users two years ago. But encryption has its challenges, despite its security posture.
Recently, a team of German cryptographers found flaws in WhatsApp that they say makes it easier for unauthorized individuals to access group chats. They also found flaws with Signal and Threema, which have been reported to be harmless.
What the researchers claim is that an administrator of a conversation can invite new people into a conversation. But when the administrator invites those new people, the WhatsApp server doesn’t authenticate the new member, and therefore, anyone controlling the server could insert new people into the private conversation without the administrator’s knowledge. According to the researchers, the servers themselves should not be able to read the messages or insert new people into the conversation without the knowledge of the administrator, but this is what can happen.
If a new member to the group is added through the server, that member has access to secret keys from every other participant in the group, which gives the intruder full access to all future messages. Some people use WhatsApp for highly sensitive conversations, which they don’t want unauthorized individuals to have access to.
The takeaway is that administrators and users in WhatsApp groups should watch carefully when new members are invited and join, and warn other members of an interloper or a spoofed invitation message. The administrator of the group can remove the unauthorized member and inform the legitimate users in a one-to-one message of the intruder, and can start a new group and invite only intended members.