WhatsApp Group Chats Can Be Easily Hacked, Even With End-to-End Encryption

Kelley Robertson
January 14, 2018

The team pointed out that WhatsApp promises its users a secure service wherein only a chat group administrator has the access to add and remove chat members.

The WhatsApp flaw allows anyone in control of WhatsApp servers to insert new participants into a private group without the permission of group admins.

The experts planned to reveal their findings at the Real World Crypto security conference Wednesday in Switzerland.

Once a new person is in, the phone of each member of that group chat automatically shares secret keys with that person, giving them full access to all future messages, but not past ones.

Essentially, Stamos said the researchers report was flawed, as no one can secretly add a new member to a group.

According to the researchers, once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group. The server then checks that the user is authorized to administer that group, and (if so), it sends a message to every member of the group indicating that they should add that user. It would appear as if the new member had the permission of the admin to join.

Creepy hackers could secretly eavesdrop on your private WhatsApp group chats, experts claim

Facebook Chief Security Officer Alex Stamos replied to the claims by the researchers and tweeted: "There is no secret way into WhatsApp groups chats".

"We've looked at this issue carefully", the spokesperson added.

WhatsApp has launched a feature in its beta version that will let users switch to video calls from voice calls at the touch of a button.

"Read the Wired article today about WhatsApp - scary headline!"

The upcoming feature that sends notifications when you are mentioned in a group was initially spotted by WABetaInfo that comes up with the WhatsApp related features and updates. "And if not, the value of encryption is very little", researcher Paul Rösler was quoted saying in the report. However, WhatsApp has pointed out that it does give notifications and alerts when a new user is added to the group. It will now allow user to demote admin without removing him/her from the group chat. "For example, it would be interesting to analyze the group chat implementations of other Signal-based messaging protocols, such as Google's Allo, Wire, and Facebook Messenger, or even non Signal-based protocols similarly to our investigation of Threema". Clients of a group retrieve membership from the server, and clients encrypt all messages they send e2e to all group members.

Other reports by

Discuss This Article