A team of researchers at the Horst Görtz Institute for IT Security (HGI) at the Ruhr-Universität Bochum have demonstrated that unauthorized participants can sneak into Whatsapp group chats without being invited by the group’s administrator – in theory, at least. This could render meaningless the end-to-end encryption Whatsapp introduced two years ago that is meant to make private messages impenetrable to third parties. Prof. Dr. Jörg Schwenk, Dr. Christian Mainka and Paul Rösler from the Chair for Network and Data Security at the RUB revealed the security flaws on 10 January 2018 at the Real World Crypto Conference in Zurich.
Groups and administrators
The Whatsapp messaging service allows multiple users to join a group chat together. The group will include one or more administrators; only these administrators can add new users to the group.
Outsiders could infiltrate groups
The uncovered security flaws could allow outsiders to infiltrate a group via the Whatsapp server, which would allow them to read all of the messages sent up until that point. To do this, however, they would have to take control over the Whatsapp server, which would be a task for only the most experienced hackers – or Whatsapp employees or governments, who could use legal means to force the company to grant them access. There is therefore no immediate reason for panic. In their paper, the researchers also provide suggestions for how to close the relevant security holes.
Other messaging services affected
The RUB team also used the conference to reveal security flaws in the Signal and Threema messenger services. These flaws, however, are not as extensive as they are in Whatsapp.
The research team’s pre-print is available online here.