A research paper released by Paul Rösler, Christian Mainka, and Jörg Schwenk at Ruhr-Universität in Bochum has pointed out a flaw in WhatsApp’s group chat security which, theoretically, could allow anyone to add themselves to any group conversation and gain access to messages being transmitted to and fro by the members.
How does this flaw work?
To talk about the flaw, let’s first take a look at how group chats normally work at WhatsApp. Typical group chats are managed by one person who is identified as the administrator of the chat. That person manages the addition and removal of members, setting group policy and deleting the group chats itself. Whenever a new member is to be added, the administrator first sends a request to the WhatsApp server with the ID of the new member that it wants to add. The server authenticates the administrator, confirms that they have the proper authority to add/remove members from that group, and then sends a signal to all of the members which notifies them that a new member has been added to their mutual group.
This all sounds good, right? Well, it would be, except one tiny detail. Remeber the end-to-end encryption that WhatsApp uses for sending messages between users? It turns out that messages between the server and the administrator are not end-to-end encrypted. These messages use regular encryption and thus can be cracked and spoofed if someone takes control of a WhatsApp server. So what anyone has to do to get access to a private chat? Find some rogue WhatsApp employee who is willing to compromise the security of a server, or try and hack a WhatsApp server by themselves.
Is this really anything for users to worry about?
Short answer – No. The probability of a someone getting unauthorized access to a WhatsApp server is pretty low. The only problematic scenario is when a government agency or a third party might require access to a group chat and WhatsApp decides to provide that to them. But even in this case, the access is not anonymous. As soon as someone is granted access to a group chat, all the members are notified of the inclusion of new member. So to keep yourself safe from prying eyes of someone who shouldn’t be seeing your messages, keep an eye on who is added to the group. If it is someone you think should not be present in the group, it is probably time to jump ship.
A similar problem in the messaging app Signal is also described by Rösler, Mainka, and Schwenk in their research paper. It is expected that both these companies will soon fix this flaw. Until then, all you can do is to keep an eye on the members being added to your group chat for any suspicious activity.