WhatsApp's New Feature Might Authorise To 'Demote' Fellow Group Admins

Share

A huge WhatsApp design flaw that allows anyone to infiltrate private group chats has been uncovered by security researchers.

The WhatsApp flaw allows anyone in control of WhatsApp servers to insert new participants into a private group without the permission of group admins.

Once the unidentified person has been injected into the group, the other members would receive a message informing them that a new member has been added, seemingly at the behest of the group admin. However, the representative admitted research findings but added that if someone new would be added to the group chat, every other member, including the admin, would be alerted about it.

However, there's potential for sophisticated hackers to use techniques to selectively block new group messages, as once the new member is added the encryption keys are shared between phones using WhatsApp, which would help interlopers avoid immediate detection.

"He can cache all the message and then decide which get sent to whom and which not", Rosler said.

In the paper "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema", released last week, researchers reveal flaws that counter the platforms' claims that their group chats are secure.

A WhatsApp spokesperson said to the Wired that "no one can secretly add a new member to a group and a notification does go through that a new, unknown member has joined the group".

Nvidia is launching a line of massive 65-inch gaming displays
G-SYNC HDR technology also supports video playback at native framerates, including popular 23.976, 24 and 25 FPS formats. Additionally, Nvidia's streaming tech, Shield , is built right into the display without the need for a separate unit.

But they told the researchers the group invitation bug they'd found was merely "theoretical" and didn't even qualify for the so-called bug bounty program run by Facebook, WhatsApp's corporate owner, in which security researchers are paid for reporting hackable flaws in the company's software.

But the shoddy security around WhatsApp's group chats should make its most sensitive users wary of interlopers, Rösler argues.

However, if a hacker manages this feat, they could drop into any group chat and read all future messages.

To me, this article reads as a better example of the problems with the security industry and the way security research is done today, because I think the lesson to anyone watching is clear: don't build security into your products, because that makes you a target for researchers, even if you make the right decisions, and regardless of whether their research is practically important or not. However, WhatsApp has pointed out that it does give notifications and alerts when a new user is added to the group.

He says that users would be notified when a new person enters the group, which prevents "silent eavesdropping".

"At present, WhatsApp is developing this feature for iOS and it will be available soon for all users, instead for Android it is already enabled by default in the newest WhatsApp Google Play beta for Android 2.18.12", the report confirmed.

This is a big problem, because WhatsApp prides itself on end-to-end encryption for its messages.

Share