WhatsApp is a communications tool that is used by people all around the world to stay connected for personal and business use. The big draw to the app for many is that it has an encrypted group chat feature, so you don’t need to worry that someone is listening in on what you are saying. However, security researchers have recently found a flaw with the app that could leave those encrypted group chats vulnerable to eavesdroppers.
The security researchers do point out that the risk associated with the flaw is limited, because the hackers need to have access to WhatsApp servers to insert themselves into a group conversation. The fear for some people is that this security flaw will result in WhatsApp being coerced by government agencies into allowing the flaw to be exploited to eavesdrop on conversations.
The issues are encryption flaws and were detailed at the Real Word Crypto security conference in Zurich, Switzerland by researchers from Ruhr University Bochum in Germany. The same security flaw also affects Signal and Threema messaging apps, but not to the degree that WhatsApp is affected according to researchers.
The WhatsApp flaw allows anyone in control of WhatsApp servers to insert new participants into a private group without the permission of group admins. The flaw takes advantage of an issue in how WhatsApp handles group chats. Currently, only the administrator of the group can invite new members, but the platform doesn't use authentication for an invitation its own servers can’t spoof.
When the uninvited group chat member was added to the group the participants would share secret keys with the new member allowing them to access future messages. Any previously sent messages in the group would be unreadable. Everyone in the chat would be able to see the new members and it would be on the group administrator to recognize the interloper and take action. In November a fake version of WhatsApp racked up over a million downloads.
"We’ve looked at this issue carefully," a spokesman told us. "Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted."