Security researchers have discovered flaws in WhatsApp's security that could allow anyone to covertly add uninvited people to any private, encrypted group chat. According to a group of cryptographers at Ruhr University in Bochum, Germany, anyone controlling WhatsApp's server could easily insert new members into a private group, without the permission of the group administrator.
Typically, only a group administrator can invite new members to the group. However, researchers found that WhatsApp does not have any authentication mechanism if its server does so.
Once the new person is added to the group, the phone of each member of the group chat automatically shares secret keys with that person, giving them full access to all future encrypted messages sent in the chat. Prior messages cannot be read by the new, uninvited member.
All members of the group usually receive a notification when a new member joins. However, the researchers noted it would be possible for anyone with access to the server to cover their tracks in a number of ways.
These include stealthily adjusting the order of messages delivered to the group members to avoid detection or blocking messages to the group, particularly when a member starts asking questions about the new uninvited guest.
"The described weaknesses enable [the] attacker... who controls the WhatsApp server or can break the transport layer security, to take full control over a group," the researchers wrote in their paper published earlier this month.
"Entering the group, however, leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members.
"Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces."
The researchers presented their findings at the Real World Cryptosecurity conference in Zurich on Wednesday (10 January), Wired reports. They also uncovered flaws in other secure messaging apps Signal and Threema as well.
"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them," says Paul Rösler, one of the Ruhr University researchers told Wired. "If I hear there's end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little."
Still, the WhatsApp server would have to first be exploited to take control over it and carry out this attack. The company's servers can be controlled by employees, governments with legal access or, potentially, advanced sophisticated hackers.
The researchers said they notified WhatsApp, which is owned by Facebook, of the flaw last July.
A WhatsApp spokesman confirmed their findings with the Wired but said the platform is built to notify users of any new additions made to a group chat or can check "Group info" to verify the same.
"We've looked at this issue carefully," a WhatsApp spokesman said in a statement. "Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted."