WhatsApp has significantly raised the bar for the digital communication privacy across the globe by adding end-to-end encryption to its platform. However, WhatApp’s end-to-end encryption now is a big question as security researchers have revealed a WhatsApp security flaw that can allow uninvited guests into group chats.
At the Real World Crypto Security Conference in Switzerland, researchers announced that they have found out flaws in WhatsApp security. As per security experts, anyone who controls the app’s servers can add new people into private group chats without requiring admin permission.
Once a new person enters a WhatsApp group, the phone of each member of that group chat automatically shares secret keys with that person. So, the new member will be able to read all outgoing messages, violating the confidentially of the group and negating end-to-end encryption. While anyone in the group chat will be notified that a new member has joined, it will be up to the admin to notice and call out a suspicious invite.
The WhatsApp security flaw takes the advantage of a bug in how the messaging app handles group chats. Though only the admin of a group can add new members, the platform doesn’t use any authentication mechanism for an invitation that its own servers can’t spoof.
Researchers also suggest that a hacker with access to WhatsApp servers can selectively block any messages in the group. When asked about this WhatsApp security flaw, the Company’s spokesperson said that the risk is limited as no one can secretly join a WhatsApp group chat. He stated,
“Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”
The team of security experts suggests that the Facebook-owned messaging app could fix the issue by adding an authentication mechanism for new group invitations. This means group invitations should make use of a secret key that only the admin possesses to sign those invitations.
Such added verification layers will likely make it impossible for WhatsApp to offer group invites links, which let users quickly add new members to a group. Users can also view a group membership by tapping on the Group info button and are able to verify the security code of individual members for added security.
Researchers also pointed out that users can opt for ‘Show Security Notifications’ to fix this WhatsApp security flaw. The feature endows users with a notification once a contact’s security code has changed.
Don’t miss out: How to Play YouTube Videos in WhatsApp Without Leaving Chats