FACEBOOK-OWNED WhatsApp suffers from a flaw that makes it possible for anyone to infiltrate private group chats without admin permission.
The vulnerability was outed by a bunch of cryptographers from Ruhr University Bochum in Germany, who announced their findings at the 'Real World Crypto Security Conference', a thing that apparently actually exists, in Zurich on Wednesday.
As reported by Wired, the German cryptographers claim that a "simple bug" in WhatsApp makes infiltrating group chats relatively easy - despite the chat app having rolled out end-to-end encryption to its one-billion-plus users.
The researchers' findings show that anyone who controls WhatsApp's servers could effortlessly insert new people into an otherwise private group, even without the permission of the so-called administrator who controls access to that conversation.
"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them," says Paul Rösler, one of the Ruhr University researchers who co-authored a paper on the group messaging vulnerabilities.
"If I hear there's end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little."
The researchers go on to explain that while only an admin of a WhatsApp group can invite new members, the messaging app does not have a mechanism to authenticate that invitation. This means that its servers can hence spoof the invitation allowing the addition of a new member to a group with no interaction on the part of the administrator.
The smartphones of every member of the group then automatically share secret keys with the new member, giving them full access to any future messages.
In a statement given to Wired, a WhatsApp spokesperson confirmed the researchers' findings but claimed that no one can secretly add a new member to a group as a notification does go through that a new, unknown member has joined.
"We've looked at this issue carefully," the spokesperson said. "Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted."
The WhatsApp mouthpiece noted that preventing the Ruhr University researchers' attack would likely break a popular WhatsApp feature known as a "group invite link" that allows anyone to join a group simply by clicking on a URL.
So, er, don't expect this issue to be fixed anytime soon. µ
Archaic prototype shows Redmond has come a long way in hardware design
And woe betide if you're called Mohammed too
Lack of proper comms gets a frosty reception from Project Zero's Travis Ormandy
Wine 3.0 brings support for Windows apps to Google's mobe OS