WhatsApp Security Design Could Let an Infiltrator Add Members to Group Chats [Updated]

Sidney Fussell 25 minutes ago. 0 comments
Cybersecurity Signal Whatsapp

A team of crytopgraphers from Germany’s Ruhr University Bochum say they have uncovered flaws in WhatsApp’s security that could limit the benefits of the messaging service’s vaunted end-to-end encryption in group chats.

Their newly published paper, “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema,” claims that anyone who controls WhatsApp’s servers, including company employees, can covertly add members to any group—an assertion the developers behind WhatsApp’s security refute.

From the paper:

5.4 Impact of the Weaknesses’ Combination

The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces.

Only admins can add new members to private groups. But the researchers found that anyone in control of the server can spoof the authentication process, essentially granting themselves the privileges necessary to add new members who can snoop on private conversations. The obvious examples that come to mind are hackers who manage to gain access to WhatsApp servers or a government successfully pressuring WhatsApp to give it access to targeted group chats.

Perhaps even more troubling, a compromised admin with control of the server could manipulate the messages that would alert group members that someone new had been added, according to the researchers. However, WhatsApp denies this is an issue.

Wired confirmed the researchers’ findings with a WhatsApp spokesperson. While the company, which is owned by Facebook, acknowledges the issue of server security, the spokesperson pushed back on the idea that attackers could block, cache, or otherwise prevent the alert that new members have been added.

“We’ve looked at this issue carefully,” a WhatsApp spokesperson wrote to Wired. “Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”

The researchers agree that the level of sophistication needed to compromise WhatsApp servers makes this exact attack scenario unlikely, but that’s no excuse for security holes in an otherwise sharp system.

“If I hear there’s end-to-end encryption for both groups and two-party communications,” researcher Paul Rösler told Wired, “that means adding of new members should be protected against.”

Update 2:32pm: In a response to the Wired story posted to Hacker News, Moxie Marlinspike, co-founder of Open Whisper Systems, which developed the end-to-end encryption used in Signal and WhatsApp, refutes the researchers’ claim that an attacker could conceal alerts from other chat members that someone was added to a group. “The attacker will not see any past messages to the group; those were e2e encrypted with keys the attacker doesn’t have,” Marlinspike writes, adding, “All group members will see that the attacker has joined. There is no way to suppress this message.”

“Given the alternatives, I think that’s a pretty reasonable design decision, and I think this headline pretty substantially mischaracterizes the situation,” Marlinspike writes. “I think it would be better if the server didn’t have metadata visibility into group membership, but that’s a largely unsolved problem, and it’s unrelated to confidentiality of group messages.”

Marlinspike further takes issue with the researchers describing this design decision as a flaw, characterizing their efforts to poke holes in WhatsApp security as a byproduct of the company touting its security benefits.

“To me, this article reads as a better example of the problems with the security industry and the way security research is done today, because I think the lesson to anyone watching is clear: don’t build security into your products, because that makes you a target for researchers, even if you make the right decisions, and regardless of whether their research is practically important or not,” Marlinspike writes. “It’s much more effective to be Telegram: just leave cryptography out of everything, except for your marketing.”

Correction: While the research indicates that it is possible for an infiltrator to add members to a group chat without members noticing by manipulating alerts, it’s not guaranteed that doing so could be kept secret from the group’s members.

[Wired]

HighResolutionMusic.com - Download Hi-Res Songs

1 CHVRCHES

Here With Me flac

CHVRCHES. 2019. Writer: Steve Mac;Martin Doherty;Marshmello;Lauren Mayberry;Iain Cook.
2 5 Seconds Of Summer

Who Do You Love flac

5 Seconds Of Summer. 2019. Writer: Andrew Taggart;Talay Riley;Oak;Sean Douglas;Luke Hemmings;Calum Hood;Ashton Irwin;Michael Clifford;Trevorious;Zaire Koalo.
3 Bonn

No Sleep flac

Bonn. 2019. Writer: Albin Nedler;Bonn;Martin Garrix.
4 Katy Perry

365 flac

Katy Perry. 2019. Writer: Zedd;Katy Perry;Caroline Ailin;Corey Sanders;Daniel Davidsen;Cutfather;Peter Wallevik.
5 Alan Walker

Are You Lonely flac

Alan Walker. 2019.
6 DEAMN

Happy flac

DEAMN. 2019.
7 Jonas Brothers

Sucker flac

Jonas Brothers. 2019. Writer: Kevin Jonas;Joe Jonas;Nick Jonas;Ryan Tedder;Louis Bell;Frank Dukes.
8 Brooks

Better When You're Gone flac

Brooks. 2019. Writer: David Guetta;Emma Lov Block;Ido Zmishlany;Jackson Foote;Jeremy Dussolliet;Brooks.
9 Ariana Grande

Imagine flac

Ariana Grande. 2019. Writer: JProof;Priscilla Renea;Happy Perez;Andrew "Pop" Wansel;Ariana Grande.
10 P!nk

Walk Me Home flac

P!nk. 2019. Writer: P!nk;Scott Harris;Nate Ruess.
11 Ava Max

So Am I flac

Ava Max. 2019. Writer: Cirkut;Ava Max.
12 Louis Tomlinson

Two Of Us flac

Louis Tomlinson. 2019. Writer: Bryn Christopher;Andrew Jackson;Duck Blackwell;Louis Tomlinson.
13 Bebe Rexha

Last Hurrah flac

Bebe Rexha. 2019. Writer: Andrew Wells;Nick Long;Lauren Christy;Bebe Rexha.
14 Anna Yvette

Chosen flac

Anna Yvette. 2019. Writer: TheFatRat;Laura Brehm;Anna Yvette.
15 Avril Lavigne

Dumb Blonde flac

Avril Lavigne. 2019. Writer: Mitch Allan;Bonnie McKee;Nicki Minaj;Avril Lavigne.
16 Greyson Chance

Timekeeper flac

Greyson Chance. 2019. Writer: Greyson Chance;Willy Beaman.
17 Why Don't We

Cold In LA flac

Why Don't We. 2019. Writer: Corbyn Besson;Zach Herron;Jack Avery;Jonah Marais;Daniel Seavey.
18 Tiffany Young

Born Again flac

Tiffany Young. 2019. Writer: Fiction;Satica;Tiffany Young.
19 Anitta

R.I.P flac

Anitta. 2019. Writer: Chaz William Mishan;David Delazyn (The Fliptones);Shari Lynn Short;Thomas Augusto;Omar Tavarez;Tainy;The Fliptones;Rita Ora;Sofía Reyes.
20 Avril Lavigne

Crush flac

Avril Lavigne. 2019. Writer: Johan Carlsson;Avril Lavigne;Zane Carney.

Suggested posts

Other Sidney Fussell's posts

Language