Flaw in WhatsApp and Signal exposes group chats to 'extremely difficult' hacks

WhatsApp

"WhatsApp is built so group messages can not be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent".

"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them", said Paul Rösler, one of the Ruhr University researchers speaking to Wired.

FACEBOOK-OWNED WhatsApp suffers from a flaw that makes it possible for anyone to infiltrate private group chats without admin permission. Usually, only admins can add the new members to private groups. A research paper released at a security event this week describes how group chats can be leveraged by snoops.

Security researchers have revealed details of a vulnerability in WhatsApp's security that could be used to compromise the secrecy of encrypted group chats on the messaging platform.

At the moment WhatsApp servers can only be accessed by its employees and governments who follow the legal route to gain access through court orders.

With over 1.2 billion monthly active users, WhatsApp is available in more than 50 different languages around the world and in 10 Indian languages.

For the Signal messaging app, which uses the same underlying encryption protocol as WhatsApp, the security researchers found the app contains the same group chat vulnerability but further mitigated by an attacker not only having to control the relevant Signal server but also having to know the Group ID number for the chat (and these IDs are essentially unguessable). "Existing members are notified when new people are added to a WhatsApp group".

On the surface level, WhatsApp, which is owned by Facebook, looks to have a pretty big security flaw.

Once an attacker with access to a WhatsApp server had added a new member to a group the phone of every participant would automatically share secret keys with that new member - affording them full access to any future messages.

Despite WhatsApp's secure end-to-end encryption for messages, German researchers have found a loophole that could allow hackers to worm their way into WhatsApp's group chats.

WhatsApp confirmed these finding to Wired, though it said every time a new unknown member is added, the app has a notification alert go out. However, this is a security hole that can not be excused, claims the report.

Researchers advise messaging services to address the issue by simply adding an authentication mechanism to ensure that the "signed" group management messages come only from the group administrator.

Moxie also took a potshot at the researchers saying that - "This article reads as a better example of the problems with the security industry and the way security research is done today, because I think the lesson to anyone watching is clear: don't build security into your products, because that makes you a target for researchers, even if you make the right decisions, and regardless of whether their research is practically important or not".

Related News:



Most liked

Canada launches WTO trade complaint against US
Canada has launched a wide ranging attack on US trade practices with an global complaint over Washington's use of punitive duties. The 32-page complaint challenges Washington's use of anti-dumping and countervailing duties, arguing it goes against WTO rules.

Senator releases text of interview with Fusion GPS official
Simpson's testimony before the Senate Judiciary Committee in August contradicted those claims. In a statement, Fusion GPS commended Feinstein "for her courage" in releasing the document.

Defense, intelligence cooperation with U.S. suspended: Pakistani defense minister
Pakistan is considered the safest and cheapest route to resupply North Atlantic Treaty Organisation troops. The supply lines are officially known as Air Lines of communication or the ground lines of communication.

Prepaid Plans Now Give More Data And Longer Validity
This is one of the best implementation from Airtel this year, and this move will undoubtedly match it up with Reliance Jio . However, Jio's initial price advantage was challenged by incumbent competitors like Airtel , which matched its offers.

Report Of Shots Fired Near CSUSB Campus
The university sent out a tweet notifying students that shots had been fired near the Visual Arts Building and parking structure. Classrooms at the Cal State University San Bernardino are on lockdown following reports of a shooting in the campus.

Will Bettors Cash Over in Blazers vs. Rockets Game? NBA Predictions 1/10/18
The Rockets narrowly defeated the Blazers 124-117 back on December 9, after trailing by 14 at the start of the fourth quarter. Already up seven points with the clock winding down, Paul drove through the lane and made a layup.

US Federal Energy Regulator rejected to subsidize coal and nuclear power plants
The commission issued an order initiating a new proceeding "to holistically examine the resilience of the bulk power system". Powelson, Richard Glick and Cheryl A.

State Department increases travel risk for states in Mexico
Mexico as a whole has a level 2 rating, meaning Americans should "exercise increased caution" because of concerns about crime. There was a fall in tourism in the states listed under level four category in the advisory, even before it was released.

State senator denies allegations of forcibly kissing staffer
Krueger said she did not initially ask which senator was involved, to avoid any potential bias, she said she immediately found Ms. Vladimer was looking for "a way to help other young women know that they could say no and not feel shame".

Woman found dead in abandoned Subway identified as GSU student
A missing woman was found dead in a Georgia mall where she had been decomposing for about two weeks, authorities said. The Medical Examiner's Officer has not ruled the case as a homicide as details are still being investigated.

Giant recalls orange cream bars, ice cream bars
In addition customers may call Giant Food Customer Service at 1-888-469-4426 for more information or visit the Giant website . Consumers looking for additional information on the recall may call Fieldbrook Foods at 1-800-333-0805 x2270.

Aussie actor Craig McLachlan denies sexual misconduct claims
Rennie's appointment follows an apology by producer John Frost, Managing Director of The Gordon Frost Organisation, yesterday. Whelan Browne says McLachlan touched and kissed her inappropriately during a performance of The Rocky Horror Show in 2014.

Logan Paul may face 'further consequences,' says YouTube
Paul, said to be worth $14 million, also released an apology over the vlog, which he shockingly said was meant to be "fun". The vlogger also reported in a lengthy post that he did not weigh the consequences when he posted the controversial video .

Single-famly homes down a bit in price: Royal LePage
Agent Steve Saretsky says buyers spent almost double on Surrey condos in 2017 over the previous year. Meanwhile single family home prices across the region climbed by about 12 per cent to $1.5 million.

Pa. governor declares statewide disaster for opioid epidemic
Yoder said Wolf's announcement "many opportunities for improvement" in the methods for dealing with drug-use and overdose issues. Ramping up the state's toll-free addiction hotline, 1-800-622-HELP, is a big one, she said.