Hackers Can Secretly Add Members To Your WhatsApp Group Chats!
It’s been two years since WhatsApp added end-to-end encryption in all their conversations. Although this increases the security and privacy of our chats, a security error has been discovered that allows access to private groups by skipping encryption.
German cryptographers discover a security error in WhatsApp
The main factor that leads to establishing a point-to-point encryption answers the question of privacy: messages should only be read by the sender and the recipient. The moment the message arrives or passes through another person or server, the filtering has failed. And this is what a team of German cryptographers has discovered during a security conference in Switzerland.
The objective of this group was to find security flaws in popular messaging apps. In Signal and Threema they found minor faults, but in WhatsApp, they found more worrisome faults in the group conversations. The main one is that, if a person controls a WhatsApp server, they can add any other person if they wish, even if they do not have the permissions of the administrators.
This failure in the server goes against what should be expected to have a point-to-point encryption. Even if the servers were compromised, the conversations should remain safe. With this failure, anyone can see them if they take control of the server.
According to the group of researchers, the reason why the failure is possible is because of a fairly simple bug. Although only administrators have permissions to add new members, WhatsApp does not provide any authentication method. Therefore, the server does not have a mechanism to prevent this failure.
For their part, users will see a message indicating that a new member has been added to the group, but since only the administrator knows whether they have done so or not, it depends on that person being attentive.
The danger increases considering that, if they have taken control of the server, they can choose who has seen what message, deceiving people and avoiding being detected. Even with several administrators, you can make one believe that someone else has invited you.
For its part, WhatsApp has responded to criticism. They ensure that in the future they intend to include the invitation by URL and that implementing measures against the error detected by the German team would break this function. In addition, they consider it unlikely that anyone will notice that an unwanted person has been added to the group and that the notice that appears indicating the new addition would be sufficient.
As one of the discoverers of this error says, it is like saying that nobody is going to steal in an open bank door because there is a security camera. The WhatsApp response seems quite innocent, and should not calm users.
So, what do you think about this? Simply share all your views and thoughts in the comment section below.