WhatsApp bug allows infiltration of private group chats without admin permissions

A bug in WhatsApp means it’s possible to sneak into private chats without any admin permissions, despite the Facebook-owned company’s best efforts with encryption.

Research carried out by a German cryptography team found that a flaw in how the app interacts with WhatsApp’s severs, controlled by Facebook, allows anyone with access to those servers to easily insert new people into a private group chat.

So despite WhatsApp’s implementation of end-to-end encryption in its messaging, there’s potential for group chat to be infiltrated and snooped upon.

“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” explained Paul Rösler, one of the Ruhr University researchers who co-authored a paper which detailed the vulnerability.

“If I hear there’s end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little,” he added.

However, Facebook’s Chief Security Officer Alex Stamos downplayed the security risks on Twitter, noting that there “isn’t a secret way” into WhatsApp group chats.

He explained that WhatsApp provides a notification every time a new user enters a group chat, so even if an unwanted guest appears in a private chat the legitimate members will know about it and admins can kick them out. And as only new messages can be viewed by a new member, the risk to privacy is mitigated somewhat.

In sum, the clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping. The content of messages sent in WhatsApp groups remain protected by end-to-end encryption.

— Alex Stamos (@alexstamos) January 10, 2018

However, there’s potential for sophisticated hackers to use techniques to selectively block new group messages, as once the new member is added the encryption keys are shared between phones using WhatsApp, which would help interlopers avoid immediate detection.  

For hackers to exploit the flaw they’d need to first crack into the WhatsApp servers, which would require high-levels of hacking skills to even attempt. This further mitigates the risk the bug poses.

But for governments and hacker groups with the resources to carry out such hack attacks, the bug could be an enticing target, particularly for carrying out espionage and state-sponsored snooping.

Overall, the bug doesn’t seem to pose too much of a risk for the average WhatsApp user.

Of course, this doesn’t excuse the presence of a security hole. WhatsApp has noted that if it were to immediately fix the flaw it could cause problems with allowing legitimate new members to join the group though the use of a shared URL. So this would suggest it’ll be sometime before the bug is squashed.

Related: CES 2018 highlights

Do you trust WhatsApp to keep your messaging private or are you a Signal user? Let us know on Facebook or Twitter.