WhatsApp has a serious security flaw which allows attackers and government agents to insert themselves into a group conversation. The problem was uncovered by a group of German cryptographers who presented their findings at the Real World Crypto security conference in Switzerland.
According to the team, anyone with access to WhatsApp’s servers could easily insert new people into a private group without needing the permission of the administrator. This would require a high level of access though, leaving the field open to skilled hackers, governments, and WhatsApp employees themselves.
All WhatsApp conversations are end-to-end encrypted, which means no outside party is allowed to snoop on a chat. However, there appears to be a simple bug in WhatsApp’s group mechanism. While only admins can invite new members, the company doesn’t utilize any authentication mechanism for this invite that its servers can’t spoof.
This leaves the door open to someone with access to invite themselves to the group and get each member’s secret keys in order to view messages from that point forward. As Facebook’s Chief Security Officer Alex Stamos points out though, all the members of the group would see this mysterious new addition.
However, the researchers claim that once the attacker is in, they can use the server to selectively block messages in the group which could give away their illegal entry. Plus, they could spoof messages to admins to make it look as though one or the other issued the invite.
The hacker could even go as far as to block any administrator’s efforts to get rid of them. WhatsApp has confirmed the findings, but doesn’t think it’s a major security issue. After all, admins can always tell the others through a new group or inform them through personal messages.
WhatsApp also stated that preventing the attack would put an end to its group invite link tool which allows anyone to enter a group just by tapping on a URL. Moreover, Wired states that it’s not a particularly efficient way to spy since the attacker gets caught out immediately upon joining a group.
Still, the fact that the door is open to this possibility is a cause for concern. It doesn’t look like WhatsApp will be changing its stance anytime soon, so users will just have to keep an eye out for a suspicious new member of a group.