WhatsApp security flaw can allow anyone slide into Group chats: Researchers
WhatsApp is one of the most widely used instant messaging services worldwide, and comes with end-to-end encryption that promises your conversations are safe. A group of researchers, however, have claimed that a security flaw can allow WhatsApp Group chats to be snooped.
According to researchers, the security flaw can let anyone with control of servers of the instant messaging service add people to a WhatsApp Group chat without the permission of the admin of the group. We chose to analyse WhatsApp, because it is one of the most widely used instant messenger applications with more than one billion users, noted the paper on WhatsApp’s group messaging vulnerabilities.Read more ↓
“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Wired cites Paul Rosler, who was one of the Ruhr University researchers who co-authored a paper on the group messaging vulnerabilities.
“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Paul Rosler added. “Only an administrator of a WhatsApp group can invite new members, but WhatsApp doesn’t use any authentication mechanism for that invitation that its own servers can’t spoof,” the paper said. So, the server can simply add a new member to a group with no interaction on the part of the administrator.
The smartphone of every participant in the group then automatically shares secret keys with that new member, giving him or her full access to any future messages, claimed the researchers.
The described weaknesses in WhatsApp enables attacker, who controls the WhatsApp server, to break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface.
“The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally, the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces,” the paper added.
Facebook’s Chief Security Officer Alex Stamos in no time responded to the WhatsApp vulnerability report and tweeted, “Read the Wired article today about WhatsApp – scary headline! But there is no [sic] a secret way into WhatsApp groups chats.”
Stamos defended WhatsApp and said, “On WhatsApp, existing members of a group are notified when new people are added. WhatsApp is built so group messages cannot be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent.”
The company further claimed that it has looked at the vulnerability report following the researcher’s plan would necessitate a change to the way WhatsApp provides a popular feature called group invite links which are used millions of times per day.
“In sum, the clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping. The content of messages sent in WhatsApp groups remain protected by end-to-end encryption,” Stamos added.
Source by timesnownews..Share: