A newly discovered security flaw in WhatsApp exposes the user's group chats to hackers. Unfortunately, there are no current fixes available to address this issue.
The messaging app reportedly uses end-to-end encryption, which supposedly prevents any third-party users to eavesdrop on the conversation. Yet, it does not seem to be the case as a flaw in its security can allow anyone to join the conversation. Once they're in, the hackers can only monitor future communication, which keeps past messages safely tucked away from prying eyes.
Last week, reports made headlines as a researcher from Google's Project Zero team exposed an accidental security flaw on various CPUs. The Meltdown and Spectre threat prompted manufacturers and vendors to release updates to mitigate possible future attacks.
Now, a group of German cryptographers from Ruhr University shared its findings during the Real World Crypto security conference, which was held in Switzerland.
The team pointed out that WhatsApp promises its users a secure service wherein only a chat group administrator has the access to add and remove chat members. However, the exploit proves that anyone in control of the app's servers can actually monitor and spy on anyone.
This discovery supposedly undercuts the developers' claims that their service uses end-to-end encryption that blocks any means of surveillance.
"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them," says Paul Rösler, a member of the Ruhr University researchers. "If I hear there's end-to-end encryption for both groups and two-party communications, the means adding of new members should be protected against. And if not, the value of encryption is very little."
Security experts note that WhatsApp threat might seem like an alarming flaw. However, in order to execute any kind of administrator command, the user must have access to its servers.
The aforementioned requirement is very strict and limited to accredited staff or governments with a legal demand for access. High-level hackers might have a shot at it yet it is highly unlikely, according to company insiders.
Furthermore, Alex Stamos, the chief security officer for Facebook, posted his opinion on Twitter regarding the supposed threat. He reasoned that users have several options to verify group chat members. Stamos confirms that participants can always check the current roster to see if unwanted guests are listening in.
In sum, the clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping. The content of messages sent in WhatsApp groups remain protected by end-to-end encryption.
— Alex Stamos (@alexstamos) January 10, 2018
Currently, it appears that no action will be taken to change any of the protocols for WhatsApp. Unless something else comes up that allows hackers to view all of the group's chat history.