German cryptographers have found a way to perforate WhatsApp’s group chats in spite of its end-to-end encryption. Facebook says it’s not a problem…
Reports say that researchers had announced that they had discovered flaws in WhatsApp’s security at the Real World Crypto security conference in Switzerland. Anyone who controlled the app’s servers could insert new people into private group chats without needing admin permission.
Once a new person is in, the phone of every member of that group chat automatically shares secret keys with that person, giving them full access to all future messages, excluding past ones. It would look as if the new member had the permission of the admin to join.
“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” said Paul Rösler, one of the researchers. The researchers suggested in their paper that summarizes their findings that users who rely on absolute privacy should stick to Signal or individual private messaging.
On the surface level, WhatsApp, which is owned by Facebook, looks to have a pretty big security flaw. It is astonishing to see how easy it can be to gain access to the WhatsApp servers since servers can only be controlled by staff, governments who legally demand access, and high-level hackers.
Chief Security Officer of Facebook, Alex Stamos, responded to the report on Twitter saying, “Read the Wired article today about WhatsApp – scary headline! But there is no [sic] a secret way into WhatsApp groups chats.”
Stamos objected to the report, stating that there are multiple ways to check and verify the members of a group chat. He argued that since all members of a group chat can see who joins a chat, they’ll be alerted of any eavesdroppers. It’s also worth asking what a redesigned, secure WhatsApp would look like without this flaw. According to Stamos, if the app were to be redesigned, that would diminish how easy it is to use.
A security researcher, Moxie Marlinspike, who developed Signal, which licenses its protocol to WhatsApp, said that the current app design is reasonable, and that the report only sends a message to others not to “build security into your products, because that makes you a target for researchers, even if you make the right decisions.”