Secure messaging app WhatsApp may not be so secure after all, as a team of German researchers uncovered some flaws that could allow third parties to compromise private group chats. WhatsApp added end-to-end encryption a couple of years ago, aiming to prevent any third-party users from accessing private conversations. With end-to-end encryption, only the sender and the recipient should have access to their chat. According to the latest findings, however, others could access WhatsApp group chats without the permission of the group chat administrator, who should normally be in charge of who gets to be part of the group.
A group of cryptographers from Germany’s Ruhr University Bochum detailed the flaws at the Real World Crypto security conference in Switzerland, highlighting how secure communications on WhatsApp could be compromised. On the bright side, the risk of someone exploiting the uncovered flaw is limited, as attackers would need to have access to WhatsApp servers in order to snoop on others’ group conversation. At the same time, once in, eavesdroppers would only be able to monitor conversations from that point on, but they would not be able to access past chats. Nevertheless, since an uninvited party would be able to gatecrash group chats uninvited, the confidentiality of the group would be compromised. The researchers further point out that end-to-end encryption should protect users against such risks in particular, ensuring that conversations are safe from prying eyes and not accessible to anyone other than the intended audience.
In conclusion, the researchers’ findings indicate that anyone with access to WhatsApp servers could eavesdrop on anyone’s private conversations. This, in turn, contradicts WhatsApp’s claims that end-to-end encryption ensures that the service would be able to counter any type of surveillance. End-to-end encryption for both two-party communications and group chats should guarantee that third parties cannot add new members to others’ group chats, otherwise the encryption loses its value, the researchers add. As for who can access WhatsApp servers, the privilege is limited to WhatsApp staff and governments who legally demand access, not accounting for theoretical illegal activities. The security researchers suggest that WhatsApp could reduce the risk of high-level hackers gaining access to group chats by adding an extra authentication measure to new group invitations, using a secret key from the group chat administrator.