Everybody loves WhatsApp: it’s fun, convenient, and best of all, it provides end-to-end encryption for every conversation. Since this privacy feature was announced in 2016, the bar was raised for digital communication privacy across the industry, establishing WhatsApp as a company that prided itself on its security capabilities.
But recent research into the app’s group chat administration uncovered an unusual flaw that has a lot of users concerned. This flaw theoretically makes it possible for total strangers to be added to any group chat, defeating the purpose of those encrypted messages.
Before you uninstall WhatsApp from your phone, let’s take a closer look at this security flaw—and what you can do about it.
A fatal flaw?
One of the trickiest aspects of encryption for WhatsApp has always been the group chat feature. Ensuring that a secure series of messages with multiple recipients is only shared with its intended audience and remains safe from infiltration—this was paramount to WhatsApp’s promises about high-end security. It’s no small feat, and the company may have overlooked a strange potential flaw.
Earlier this month at the Real World Crypto security conference in Zurich, Switzerland, a group of German cryptographers from Ruhr University Bochum revealed that anyone who has access to or controls WhatsApp’s servers could easily insert a new user into any private group.
Technically, only an administrator is allowed to invite new members into a group. But WhatsApp doesn’t currently have a mechanism in place for invite authentication. This means that using the server to spoof an invitation would allow the addition of new members to the group—without the approval of an administrator. The smartphones of other members in the group would then automatically share secret keys with the newly added individual, providing them full access to all future communications.
Even more concerning, the researchers discovered methods of delaying the detection of a new participant in the group by caching messages and blocking communications warning of an intrusion.
WhatsApp has over a billion users, so it’s no surprise that people are worried. But what does this security flaw really mean for you?
In a statement published in WIRED, a WhatsApp spokesperson advised users that they’ll still receive a notification when an unknown user joins a group chat, making it easy to spot an intruder. The company has also stated that the flaw is just theoretical.
Since an intruder can only enter through a server, the chances of a breach occurring without WhatsApp’s knowledge are reduced. But some worry that this flaw could be exploited by official bodies demanding access to data from encrypted group chats. For those who use the messaging system to send sensitive communications, that’s a big concern.
From infiltrated group chats to hacked emails and more, top-notch data security is more important now than ever. We can help. Contact the data security professionals at eMazzanti today to find out more about keeping your most sensitive data safe and sound.
Bryan Antepara: IT Specialist
Bryan Antepara is a leader in Cloud engagements with a demonstrated history of digital transformation of business processes with the user of Microsoft Technologies powered by the team of eMazzanti Technologies engineers.
Bryan has a strong experience working with Office 365 cloud solutions, Business Process, Internet Information Services (IIS), Microsoft Office Suite, Exchange Online, SharePoint Online, and Customer Service.
He has the ability to handle the complexity of moving data in and out of containers and cloud sessions, makes him the perfect candidate to help organizations large and small migrate to new and more efficient platforms. Bryan is a graduate of the University of South Florida and is Microsoft Certification holder.