WhatsApp has traditionally been the instant messaging application that has received the most criticism for its lack of security. In 2011 a vulnerability could leave conversations uncovered, in 2012 the problems continued … Until in 2014 the solution arrived to most of the concerns with end-to-end encryption, whose total deployment ended in April 2016 . However, they have just managed to circumvent this system and it has not been easy.
In the Real World Crypto Symposium celebrated yesterday in Zurich (Switzerland), a group of cryptographers of the Ruhr University of Bochum (Germany) have found a failure that allows to skip the end-to-end encryption in the groups.
Specifically, it allows to introduce new people in a private group of WhatsApp even without the permission of the administrator, who in principle would be the only one with the power to control access to the conversation. The unexpected guest, therefore, could receive from that moment the new messages that are generated, something that undermines the confidence in the security of the application according to statements of the researchers cited by Wired .
The confidentiality of the group is broken as soon as the uninvited member can get all the new messages and read them. […] If I hear that there is end-to-end encryption for both groups and communications between two parties, that means that you must protect against the addition of new members. And if not, the value of the encryption is very little.
It’s not so easy: you would need access to WhatsApp servers
The security breach discovered by the researchers is worrisome, no doubt, butexploiting it is not easy . Its use would be limited to individuals with access to the company’s servers, as employees of WhatsApp itself, advanced hackers or government authorities who have been given access for some kind of legal requirement.
Once an attacker had access, he could take control of any group created in the application, record the messages of its different members, their phone numbers and even camouflage their entry into the conversation , which according to the operation of the service would be notified as the union to the group of any other user.
In an article that the researchers have titled as “More is less: about the integral security of groups of chats in Signal, WhatsApp and Threema”, since they have also been busy investigating the security of these other two applications, without finding errors of Openworking, they explain the implications of vulnerability .
The weaknesses described allow the attacker A, which controls the WhatsApp server or can break the security of the transport layer, take total control over a group. Entering the group, however, leaves traces since this operation appears in the graphical user interface. The WhatsApp server can use the fact that it can reorder and drop messages in the group stealthily.
In this way, you can cache the messages sent to the group, read its contents first and decide in which order they are sent to the members. In addition, the WhatsApp server can forward these messages to members individually in such a way that a subtly chosen combination of messages can help cover the traces.
This being the case, the premise would be broken that an end-to-end encryption does not expose the information even with a compromised server , although that protection has not been broken. A priori only an administrator can invite a new member, but WhatsApp does not use any authentication system to manage those invitations that their own servers can not impersonate. Therefore, with its control, it is possible to carry out the attack by having each participant’s phone automatically share their secret encryption keys.
In WhatsApp they recognize the researchers’ discovery, but they downplay it
Alex Stamos, general manager of security of Facebook, shared a few hours ago on Twitter Wired’s article in which they made a broad echo of the discovery of these cryptographers of the Ruhr University of Bochum initiating a thread of tweets with different nuances.
For the executive, the headline “The security flaws of WhatsApp could allow intruders to chat in group chats” is frightening. But, he says, “there is no secret way to enter the chats of the WhatsApp groups” pointing out that as the text itself points out, the members of a group would see a message announcing the entry of a new member.
In WhatsApp, existing members of a group are notified when new people are added. WhatsApp is designed so that group messages can not be sent to hidden users and provides multiple ways for users to confirm who receives a message before it is sent.
WhatsApp has examined the report carefully. Following the researcher’s plan would require a change in the way that WhatsApp provides a popular feature called group invitation links, which are used millions of times a day.
Stamos also said that there could be a way to provide this functionality – that of the invitations links, the cause of which there is no strong authentication mechanism when inviting groups – with more protections, but he assures that it is not clear .
Finally, the head of Facebook, the company that owns WhatsApp, summarizes the controversy and the doubts generated by stating that “clear notifications and multiple ways to check who is in your group avoid silent eavesdropping”. Although the desirable thing would be that it was not the user who had to realize the entry of intruders , but the system itself prevented it in any way, no matter how sophisticated the method to achieve it. “The content of the messages sent in the WhatsApp groups is still protected by end-to-end encryption,” Stamos concluded.