WhatsApp flaw might let joining group chats without permission

WhatsApp security vulnerability detected: new members might be added to group chats without admin’s permission

WhatsApp is known as one of the most secure messaging apps^[1] that uses end-to-end encryption to make conversations between people absolutely private. However, recent discovery tells that apps’ privacy might be not as good as it looked. Researchers reported about a security flaw that allows third-parties to get access to group conversations.

Researchers Paul Rosler, Christian Mainka, and Jorg Schwenk from Ruhr University Bochum in Germany analyzed instant messaging apps and their end-to-end security.^[2] Apparently, WhatsApp has a flaw that allows anyone who has access to company’s servers to add new people to private group chats without chat administrator’s permission.

While researchers say that infiltration to group chats and spying on users can be done secretly, WhatsApp spokesperson told Wired^[3] that it’s impossible. However, the representative admitted research findings but added that if someone new would be added to the group chat, every other member, including the admin, would be alerted about it.

WhatsApp’s end-to-end encryption is not that perfect

End-to-end encryption is one of the reasons why WhatsApp gained so much popularity and trust. According to the developers, this encryption prevents third-parties from accessing user’s conversations. Chats are protected by a unique code which is shared only with members of conversation. Additionally, shared messages can be encrypted too.

If admin creates a group chat, he or she has a right to add other members. As soon as a new member is added, they automatically get a unique code to read the conversation. Thus, neither WhatsApp nor sneaky people can know the code and read the conversations:

We completed the implementation of end-to-end encryption in 2016 for all messaging and calling on WhatsApp so that no one, not even us, has access to the content of your conversations.^[4]

However, researchers from Germany discovered that WhatsApp’s end-to-end encryption might be useless because it does not protect from unauthorized access via company’s servers. The security flaw allows anyone who has access to servers add new members to group chat without administrator’s permission.

If WhatsApp server would be hacked, attackers might control user’s chats

The only people who can get access to WhatsApp servers are staff and governments^[5] if they are taking some legal actions. However, we are living in the world where cyber attacks are held towards companies’ daily. Thus, attackers can hit WhatsApp servers too, especially when they learn about this security flaw.

The research says that the app does not use any authentication to check administrator’s invitations to group chats. Thus, servers cannot detect if the admin added new members or someone unknown joined the private conversation.

WhatsApp representative said that if this would happen and someone would add new people to group chat, members would be warned about it. However, the research tells that attackers might control messaging app, meaning that some of the messages warning about an unknown person in the group chat might be deleted. The attackers might send spoofed messages in order to prevent the administrator from removing spy from the private conversation.