Flaw in WhatsApp and Signal exposes group chats to 'extremely difficult' hacks

Flaw in WhatsApp and Signal exposes group chats to 'extremely difficult' hacks

Flaw in WhatsApp and Signal exposes group chats to 'extremely difficult' hacks

But one Facebook official has hit back at the claim, and said that any members of a chat group would be notified if a new member joined, and there was no secret way into WhatsApp chats. A report from Wired says that a group of researchers from the Ruhr University Bochum in Germany discovered a major flaw in WhatsApp group chat mechanism.

It's not a problem that will impact most users, but chat apps like Signal and WhatsApp have been used for private conversations from everyone ranging from politicians to government dissenters. All group members are deemed administrators, and can thus add a new group member by sending an encrypted group management message to the other participants.

The research findings totally negates the value of end-to-end encryption brought by WhatsApp nearly two years ago. Thus, servers can not detect if the admin added new members or someone unknown joined the private conversation.

Moxie Marlinspike, a security researcher who developed Signal, which licenses its protocol to WhatsApp, said that the current app design is reasonable, and that the report only sends a message to others not to "build security into your products, because that makes you a target for researchers, even if you make the right decisions". It cited the researchers as saying that anyone who controls WhatsApp's servers could effortlessly insert new people into an otherwise private group.

"The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group".

"The privacy and security of our users are incredibly important to WhatsApp".


"And in groups with multiple administrators, the hijacked server could spoof different messages to each administrator, making it appear that another one had invited the eavesdropper so that none raises an alarm".

WhatsApp representatives told Wired there would be no fixes as a result of the research and that notifications of new chat additions are warning enough.

We've looked at this issue carefully. In such a case, it is impossible for them to share details with enforcement agencies that they themselves can not access.

"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them..." We built WhatsApp so group messages can not be sent to a hidden user.

WhatsApp also stated that preventing the attack would put an end to its group invite link tool which allows anyone to enter a group just by tapping on a URL. "There is no way to suppress this message".

The idea of creating a backdoor itself is absurd, considering how a small hack that allows authorities to bypass end-to-end encryption can be exploited or abused by cyber criminals and enemy states as well, thereby compromising the privacy of every single individual using a particular messaging service.

Related news



[an error occurred while processing the directive]