March 22, 2018

Flaw in WhatsApp and Signal exposes group chats to 'extremely difficult' hacks

14 January 2018, 12:17 | Sam Montgomery

WhatsApp Security Flaw Lets Hackers Enter Any Group Unnoticed

Creepy hackers could secretly eavesdrop on your private WhatsApp group chats, experts claim

A huge WhatsApp design flaw that allows anyone to infiltrate private group chats has been uncovered by security researchers.

Group chat app Signal was found to have the same problem as WhatsApp, but as well as controlling the server the attacker also needs to know the chat's Group ID - which is nearly impossible to know without having physical access to one of the phones in the message thread.

San Francisco: WhatsApp is reportedly testing a new button in group chats that will allow one administrator to "demote" other administrators, without first deleting them from the group and then adding again as normal participants.

"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them", Paul Rösler, on of the co-authors of the paper, told Wired. German Cryptographers, in their research, have found out that WhatsApp group chats are hackable citing that any new member can read the group chats.

The problem sits in WhatsApp's authentication mechanism for adding people to group chats. WhatsApp is a widely used messenger and is available in more than 60 different languages which include 10 Indian languages.

Despite the service's end-to-end encryption, experts say hackers can insert people into WhatsApp groups without the permission of the chat's admin. However, users still get a notification of a new member joining.

The researchers dug up less serious flaws in the more specialized secure messaging apps Signal and Threema, too.

WhatsApp is yet to respond to this report. And, if you scroll through the unread messages in the WhatsApp group manually, then the button will vanish automatically.

Alex Stamos, chief security officer for WhatsApp owner Facebook Inc., downplayed the vulnerability today in a series of tweets on Twitter, where he emphasized the app's new chat member notifications as a key security feature. Thus, servers can not detect if the admin added new members or someone unknown joined the private conversation.

However, researchers from Germany discovered that WhatsApp's end-to-end encryption might be useless because it does not protect from unauthorized access via company's servers. The researchers recommend in their paper that summarizes their findings that users who rely on absolute privacy should stick to Signal or individual private messaging. "It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted", the spokesperson added. Typical group chats are managed by one person who is identified as the administrator of the chat.

Other News

Trending Now

Manhunt for pair charged in girl's death underway
Leah Barrett said her family is heartbroken over the loss, but feels better knowing Diaz and Fields have been found and arrested. Police say they are believed to be driving a black 2002 Chevrolet Cavalier with MI plates DTR1854.

New Wind Chill Advisory in effect through Saturday
The frigid cold blast finally comes to an end Monday when high temperatures are expected to reach above the freezing mark. A WIND CHILL ADVISORY is in effect tonight thru Friday morning due to wind chills potentially dropping down below 0°.

NI Secretary to meet Coveney on Friday
Theresa May will now have to replace the 50-year old MP, who has been doing the Northern Ireland job since July 2016. Her schedule today also includes face-to-face meetings with the leaders of the DUP and Sinn Féin.

How to Watch Manchester United vs. Derby County
While United progress to the fourth round, Derby can be proud of an impressive display on the night. But when you get past 80 minutes and the goal hasn't come, you fear the second match.

Outrage as Buhari appoints Dead men to fill board positions
According to him, "no human undertaking can be free of mistakes", maintaining that "there is no scandal" involved in the appointments.

Olaf holds daylong celebration for Martin Luther King Jr
As organizations gather throughout Southern Maryland to commemorate the January 15 birthday of the Rev. Other events throughout the weekend include the county's 33rd annual holiday program.

Meghan Markle's father 'will give her away'
Riley operates the Nails and Brow salon in London's Mayfair and has been tending to Markle's brows since the summer of 2016. The Duke of Cambridge made Harry his best man for his wedding in 2011, so it is expected he will repay the favour.

Israel approves over 1100 new settlement homes in occupied West Bank
Overall, the PA's payments to terrorists and their families now total about $300 million annually. Palestinians want the West Bank for a future state, along with East Jerusalem and the Gaza Strip.

Donald Trump says he would 'beat Oprah' in presidency battle
Comedian Sarah Silverman was one of many tipping the U.S. celebrity to run for president, writing: "Oprah/Michelle 2020". It often takes an Oprah Winfrey , someone undisputedly at the top of the game, to drop the anvil .

Judge blocks Trump from rescinding DACA
Trump's promise to build a wall along the Mexican border was a central tenet of his campaign for president. President Donald Trump says the USA court system is - in his words - "broken and unfair".