The flaw here is obvious: since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group.
However, a group of security researchers from the Ruhr University Bochum in Germany have revealed why that is not the case anymore.
"The described weaknesses enable [the] attacker. who controls the WhatsApp server or can break the transport layer security, to take full control over a group", the researchers wrote in their paper published earlier this month. So they highlighted that any person who controls the app' servers could get the access the WhatsApp group chat.
Experts found that anyone with control over WhatsApp's servers can add people to private group chats, including hackers and governments who legally demand access.
The vulnerabilities found in Threema and Signal are relatively harmless compared to the problems researchers found with WhatsApp, because of the relative ease with which new people can be inserted into private groups without any permission.
'The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them, ' Paul Rösler, a Ruhr University researchers, told Wired. We built WhatsApp so group messages can not be sent to a hidden user.
"The phone of every participant in the group then automatically shares secret keys with that new member, giving him or her full access to any future messages", the report added.
Mets bring back Jay Bruce
If the Mets are okay having Asdrubal Cabrera play third base, as I personally am, then the focus should be second base. Anthony Rieber covers baseball, as well as the NFL, NBA and National Hockey League , for the sports department.
As per the research, Signal and WhatsApp fail to properly authenticate that who is adding a new member to the group and it is possible for an unauthorized person, who is not even a member of the group, to add someone to the group chat. "The content of messages sent in WhatsApp groups remains protected by end-to-end encryption". Existing members are notified when new people are added to a WhatsApp group.
Yesterday, we reported that FBI Director Christopher Wray asked messaging apps and social media companies to create encryption backdoors exclusively for authorities so that they could nab criminals and deter crimes without compromising the security of the public at large. It is said that this flaw can comprise of the end-to-end encryption of the messaging platform.
Everyone in the group would see a message that a new member had joined, seemingly at the invitation of the unwitting administrator. In a statement to Wired, the company said, "We've looked at this issue carefully..."
Open Whisper Systems, the creators of Signal, told Wired that they are now redesigning how Signal handles group messaging, but did not share any more than that.
In January a year ago, the Guardian newspaper reported that WhatsApp was vulnerable to interception, sparking concern over the app that marketed itself as a privacy leader.
If you're a group admin, you can also go into the "Group Info" settings and kick specific users from your chat. "But there is no [sic] a secret way into WhatsApp groups chats".