Researchers in Germany say there is a flaw in WhatsApp that could allow an attacker to infiltrate group chats, according to Wired.

Researchers from the Ruhr University Bochum analyzed flaws in three encryption chat apps: WhatsApp, Signal and Threema. The experts planned to reveal their findings at the Real World Crypto security conference Wednesday in Switzerland.

In the paper “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema,” released last week, researchers reveal flaws that counter the platforms’ claims that their group chats are secure.

Researchers said the flaw in WhatsApp can allow anyone who controls the platform’s servers to add new people into a private group without needing permission from the group chat’s administrator to enter the conversation. That flaw means that hackers who may break into WhatsApp servers could take advantage of that bug and infiltrate group chats. The impostor could also block messages, like questions or requests.

The researchers explained in the paper :

“The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces.”

Researchers told WhatsApp about the issue last summer. In a statement to Wired, WhatsApp said it had looked into the problem.

"Existing members are notified when new people are added to a WhatsApp group,” the platform said. “We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”

However, the platform told Wired the bug didn’t qualify for the bug bounty program run by Facebook, which owns WhatsApp. In the program, security experts get paid to report bugs in the company’s software.

The researchers also detailed other flaws in Signal and Threema. In Signal’s case, the same group chat attack in WhatsApp is also found in the app. However, with Signal, an impostor would need to control the Signal server, and would need to know the Group ID and the phone number of one member, researchers said in the paper. As for Threema, there were smaller flaws that allowed an attacker who controls servers to replay messages or add users back into a group chat. The platform said it released a fix for the flaws.

“While our investigation focuses on three major instant messaging applications, our methodology and the underlying model is of generic purpose and can be applied to other secure group instant messaging protocols as well,” researchers concluded in the paper. “For example, it would be interesting to analyze the group chat implementations of other Signal-based messaging protocols, such as Google’s Allo, Wire, and Facebook Messenger, or even non Signal-based protocols similarly to our investigation of Threema.”

RELATED STORIES
Germany Google Software WhatsApp