According to a Wired report, the flaws allow a person with the control of WhatsApp’s servers to add anyone to a WhatsApp group without admin permission.
Once added to a group, the respective encryption keys of all the group members get shared automatically with the new user. So, a newly added eavesdropper can easily read all the new end-to-end encrypted messages exchanged between the members. But not the older messages and the ones for which the stranger doesn’t have the end-to-end encryption key.
The report was quick to ring the bell at the house of WhatsApp’s daddy Facebook. Its chief security officer Alex Stamos made multiple tweets as a response to Wired’s report.
“Read the Wired article today about WhatsApp – scary headline! But there is no a secret way into WhatsApp groups chats. The article makes a few key points.”
“Everyone in the group would see a message that a new member had joined,” he argued. But should that be considered as a safety measure, relying on the alertness of the members to make sure some eavesdropper has not entered their WhatsApp group?
“WhatsApp is built so group messages cannot be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent.”
Stamos said that WhatsApp has seen the researchers’ findings. But preventing a possible attack would require to let go of a popular feature called “group invite links” which allows anyone with a link to join a WhatsApp group. “There may be a way to provide this functionality with more protections, but it’s not clear cut.”
Even if such an attack could be performed, how many people would have access to WhatsApp’s servers except their employees and governments wanting to conduct surveillance? An experienced hacker would first have to compromise the servers before adding an eavesdropper to the group.
According to Maxie Marlinspike, who developed the Signal protocol, it’s not possible to suppress the alerts sent when someone joins the group, contrary to the researchers’ claim. It turns out, it’s not possible for someone to snoop into group chats and hacking the servers is not that easy.
Commenting on the report, Mike said that the article is a better example of the problems associated with security industry and how research is done today. “I think the lesson to anyone watching is clear: don’t build security into your products, because that makes you a target for researchers, even if you make the right decisions,” he wrote.
You can read more about the researchers’ findings in their paper.