Attacker with control over WhatsApp server can add members to group
Researchers from Ruhr University in Bochum have investigated crypto chat apps Signal, Threema and WhatsApp. They come to the conclusion that WhatsApp allows an attacker with control over the server to independently add people to group chats.
This does not require interaction from the group managers, as they write in a paper and explain to Wired. The site writes that this stems from a bug that prevents WhatsApp from using authentication for an invitation from a new group member. An attacker, such as a government, could therefore add a member to an existing group and read all messages sent from that point on.
The members of the group would see that a new member has been added, but the attacker could pretend that this person was added by one of the admins. Also, an attacker with control over the server could, for example, selectively block messages from people who ask questions about the addition.
Cryptographer Matthew Green tells Wired this shouldn’t be possible. “If you’re building a system where everything depends on trusting the server, then you can immediately ditch all the complexity and forget about end-to-end encryption. This is a serious flaw. There’s no excuse for that.” He doesn’t think it’s an excuse for a new group member to stand out. “It’s like opening the front door of a bank and saying no one will rob it because there’s a security camera.”
WhatsApp confirms the leak. If the chat app wanted to close the leak, WhatsApp users would no longer be able to invite members to a group conversation by means of a link, and the company does not seem to want to take that step. The researchers notified WhatsApp in July of last year, but were not eligible for a reward under parent company Facebook’s bug bounty program, Wired said.
The researchers found a similar capability in Signal, but there an attacker would also need to be familiar with a group ID in addition to controlling the server. One way to get that ID is to access the phone of one of the group members. In that case, however, there are also other dangers. They also found minor issues in Threema, such as message replay by a malicious server, that were fixed by the app’s developers.