From a study conducted by researchers at the Ruhr University in Bochum, hackers can add people to group chats on WhatsApp
Over the years, WhatsApp has invested heavily in the security of user data. Two-factor authentication was introduced and end-to-end encryption of conversations thanks to Open Whisper Systems. Especially the latter decision has improved privacy and protected users' conversations from possible intrusions by hackers.
The breakthrough of introducing end-to-end encryption within the application has been welcomed by both users and industry experts who had been waiting for such a decision from WhatsApp for a long time. The use of end-to-end encryption should make people think that users' data is safe and that no one can intrude on their conversations. But in reality, this is not the case. This is what emerges from a research conducted by the Ruhr University in Bochum (Germany) that has discovered the presence of a flaw within WhatsApp's servers that would put at risk the security of users' data. The flaw would only affect group chats and not single chats.
What the researchers have discovered
The study was presented during the Real World Crypto security conference and immediately talked a lot about itself. The research uncovered flaws in three instant messaging apps - WhatsApp, Signal and Threema. While the issues found in the last two apps are easily fixable, the WhatsApp bug would potentially endanger all group conversations. According to researchers, a flaw would allow anyone with access to WhatsApp's servers to add people to group conversations, without asking administrators for consent. Because of this bug, hackers could get inside the chats without anyone noticing and start collecting user data. The danger, the researchers point out, concerns the possibility that some hackers manage to get inside WhatsApp servers and start adding people in groups. Governments could also pressure the messaging app to control group conversations during popular uprisings.
What hackers can do
A login to WhatsApp's servers would allow hackers to have absolute control over group conversations. When you add someone to a chat, a message appears within the chat, alerting other users. If a hacker added the user via server-level tampering, a group administrator could warn other users that he didn't add anyone. But if the group is very active, in 99% of cases the message that a new user has been added can be missed. By directly controlling the servers, hackers have other powers as well. For example, they can decide which messages to show within the chat and also send different messages to the group administrators. In this way, the intrusion goes almost undetected and malicious people can quietly collect people's data.
WhatsApp on alert
Ruhr University researchers said they warned WhatsApp in July last year, but the instant messaging app's staff didn't consider the bug important enough to merit the cash reward Facebook offers to anyone who discovers a flaw in one of its platforms. Some WhatsApp employees confirmed the issue to Wired, but emphasized the fact that when a new member is added to a chat, all users are notified via a message. And this would secure the users' data.
How to fix the problem
According to the scholars, the problem could be solved easily, all it would take is for WhatsApp to make a simple change. Add a kind of two-factor authentication to add a user in a new group: a key in possession only of the group administrator. We'll see if WhatsApp decides to follow the researchers' advice.