WhatsApp’s end-to-end encryption might not be that secure after all. Yet another research has found loopholes in the messaging apps’ security protocols. Anyone who is in control of a WhatsApp server can easily add people to private group chats. The major development is surprising as WhatsApp has stated multiple times that security is the company’s main focus.
Research
The research group from Ruhr University Bochum conducted ran tests on multiple apps for any security flaws. These apps included Threema and Signal too, however, they passed the researchers’ test without any major security flaw.
WhatsApp, on the other hand, was found vulnerable as a major security flaw was found by the research group that could result in privacy breaches. The group’s paper on security flaw was later published as well. You can take a detailed look at it here.
One of the co-authors of the paper, Paul Rosler, also commented on WhatsApp’s lack of security saying;
The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them.
According to the research, anyone with access to the servers can add anyone to any private chat group. For example an employee at WhatsApp has access to multiple servers and can mess with any private encrypted group chats. Currently, the app only lets chat group admins add new members to a group.
WhatsApp says that though there isn’t any mechanism in place to authenticate the addition of someone to the group but there is a system to notify all members about it. Once a new person gets added to the chat, every member is notified about it. The person cannot read previous messages of chat as they are end-to-end encrypted. Still its no good news that a person other than admin can add someone to a chat.
WhatsApp really needs to do something about it to ensure complete security of the app. The research paper and its findings will be presented in Zurich at World Crypto Conference.