WhatsApp testing 'demote' feature for group chat admins

Dora Pope
January 14, 2018

But experts from Ruhr University Bochum in Germany said snoopers with access to WhatsApp's servers could potentially invite new members into other peoples' chats, allowing them to listen to their conversation.

According to the research, Signal and WhatsApp fail to properly authenticate who is adding a new member to the group and it is possible for an unauthorised person, who is not even a member of the group, to add someone to the group chat.

New research from a team of German cryptographers presented Wednesday at the Real World Crypto conference in Zurich, Switzerland zeroed in on group messaging to show that security for a one-on-one conversation is far ahead of group chats.

They found that anyone with control over WhatsApp's servers can add people to private group chats, including staff, hackers and governments who legally demand access. All group members are deemed administrators, and can thus add a new group member by sending an encrypted group management message to the other participants. "Existing members are notified when new people are added to a WhatsApp group". WhatsApp is a widely used messenger and is available in more than 60 different languages which include 10 Indian languages.

Security researchers have discovered a method of infiltrating group chats in WhatsApp, effectively rendering the chat tool's end-to-end encryption useless. And as only new messages can be viewed by a new member, the risk to privacy is mitigated somewhat.

In their paper, the researchers compared WhatsApp's security practices with those of Signal and Threema, and they ultimately concluded that WhatsApp is the least secure of the three when it comes to group messages.

WhatsApp new Mention badge feature
The Whats App Mention badge appears as a button with"@ symbol in a group

WhatsApp noted that group members could view the other members of the group by tapping on "group info", though the security flaw would mean that encryption would not protect WhatsApp users who have not checked this and are therefore unaware that their group has been infiltrated.

In a statement to IANS on Thursday, a WhatsApp spokesperson said: "We've looked at this issue carefully".

Alex Stamos, chief security officer for WhatsApp owner Facebook Inc., downplayed the vulnerability today in a series of tweets on Twitter, where he emphasized the app's new chat member notifications as a key security feature.

WhatsApp has started allowing users to "dismiss" administrators of group chats. But attackers that can control of a Threema server can replay messages or add a previously removed user back into a group, the researchers found.

This is a big problem, because WhatsApp prides itself on end-to-end encryption for its messages. Typical group chats are managed by one person who is identified as the administrator of the chat. Clients of a group retrieve membership from the server, and clients encrypt all messages they send e2e to all group members.

Steve Bannon expresses regret over comments in controversial book on Donald Trump
Senior White House Advisor Stephen Miller waits to go on the air in the White House Briefing Room on February 12, 2017. 'The book is best understood as a work of very poorly written fiction, ' Miller added.

Other reports by My Hot News

Discuss This Article