A group of security researchers from Ruhr University in Germany has revealed a security loophole in the end-to-end encrypted messaging app WhatsApp. They say that they plan on revealing similar flaws in apps such as Signal and Threema. The common thing here is that they all use the Signal protocol, made by Whisper Systems.
In short, anyone who has control of a WhatsApp server could effortlessly insert new people into a private group. This is an obvious security concern as all the messages sent after the insertion of the new entity can be intercepted.
The researchers said that the concern here is that governments often coerce companies to give access to servers or face a ban. They said that having a server with such kind of access renders end-to-end encryption useless as there is a single point of failure, which can be misused easily.
The issue is that WhatsApp does not use any authentication mechanism for an invite sent out by a group administrator. Therefore, the server can add a new member without any interaction with the administrator of the group. Then, the phone of every participant in the group shares secret keys with that member, giving them access to future messages. However, users still get a notification of a new member joining. If the administrator is aware of the person joining, he could warn users and kick out the malicious member. However, in case he does not notice, the group is compromised. The concern raised here is that in groups with multiple administrators, the user can send out messages to multiple admins, fooling them about who invited the user.
A WhatsApp spokesperson spoke to WIRED, where the news story initially broke and confirmed the researchers’ findings but emphasized that no one can secretly add a new member to a group—a notification does go through that a new, unknown member has joined the group.