end-to-end encryption to every conversation for its billion users two years ago, the mobile messaging giant significantly raised the bar for the privacy of digital communications worldwide. But one of the tricky elements of encryption—and even trickier in a group chat setting—has always been ensuring that a secure conversation reaches only the intended audience, rather than some impostor or infiltrator. And according to new research from one team of German cryptographers, flaws in WhatsApp make infiltrating the app’s group chats much easier than ought to be possible. At the Real World Crypto security conference Wednesday in Zurich, Switzerland, a group of researchers from the Ruhr University Bochum in Germany plan to describe a series of flaws in encrypted messaging apps including WhatsApp, Signal, and Threema. The team argues their findings undermine each app’s security claims for multi-person group conversations to varying degrees. But while the Signal and Threema flaws they found were relatively harmless, the researchers unearthed far more significant gaps in WhatsApp’s security: They say that anyone who controls WhatsApp’s servers could effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation.
‘It’s just a total screwup. There’s no excuse.’Matthew Green, Johns Hopkins University
Group Threat
The German researchers say their WhatsApp attack takes advantage of a simple bug. Only an administrator of a WhatsApp group can invite new members, but WhatsApp doesn’t use any authentication mechanism for that invitation that its own servers can’t spoof. So the server can simply add a new member to a group with no interaction on the part of the administrator, and the phone of every participant in the group then automatically shares secret keys with that new member, giving him or her full access to any future messages. (Messages sent prior to an illicit invitation, fortunately, still can’t be decrypted.) Everyone in the group would see a message that a new member had joined, seemingly at the invitation of the unwitting administrator. If the administrator is watching closely, he or she could warn the group’s intended members about the interloper and the spoofed invitation message. But the Ruhr University researchers and Johns Hopkins’ Green point out several tricks that could be used to delay detection. Once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group, including those that ask questions, or provide warnings about the new entrant. “He can cache all the message and then decide which get sent to whom and which not,” says Rösler. And in groups with multiple administrators, the hijacked server could spoof different messages to each administrator, making it appear that another one had invited the eavesdropper, so that none raises an alarm. It could even prevent any administrator’s attempt to remove the eavesdropper from the group if discovered.Some Limits
In a phone call with WIRED, a WhatsApp spokesperson confirmed the researchers’ findings, but emphasized that no one can secretly add a new member to a group—a notification does go through that a new, unknown member has joined the group. The staffer added that if an administrator spots a fishy new addition to a group, they can always tell other users via another group, or in one-to-one messages. And the WhatsApp spokesperson also noted that preventing the Ruhr University researchers’ attack would likely break a popular WhatsApp feature known as a “group invite link” that allows anyone to join a group simply by clicking on a URL. “We’ve looked at this issue carefully,” a WhatsApp spokesperson wrote in an email. “Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.” To be fair, this technique wouldn’t be a very stealthy strategy in the long run for government spying. Sooner or later, users would likely notice that unexpected strangers were showing up in their chats. But that possibility of detection isn’t an adequate solution to WhatsApp’s underlying problem, argues John Hopkins’ Green. “That’s like leaving the front door of a bank unlocked and then saying no one will rob it because there’s a security camera,” Green says. “It’s dumb.” The Ruhr University researchers say they alerted WhatsApp to the problem with group messaging security last July. In response to their report, WhatsApp’s staff say they fixed one problem with a feature of their encryption that made it harder to crack future messages even after an attacker obtained one decryption key. But they told the researchers the group invitation bug they’d found was merely “theoretical” and didn’t even qualify for the so-called bug bounty program run by Facebook, WhatsApp’s corporate owner, in which security researchers are paid for reporting hackable flaws in the company’s software.‘If I hear there’s end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against.’Paul Rösler, Ruhr University