WhatsApp Security Flaw Could Allow Impostors To Enter Group Conversations

WhatsApp Security Flaw Could Allow Impostors To Enter Group Conversations

The app doesn't use an authentication mechanism for inviting new members to a group chat, which means that its servers can spoof said invitation.

The researchers from Ruhr University Bochum in Germany announced this big news at the "Real World Crypto Security Conference" which was held in Zurich, Switzerland, on January 10. "But there is no [sic] a secret way into WhatsApp groups chats". According to the paper, investigation into "end-to-end protected group communications" has gained only little attention. "We built WhatsApp so group messages can not be sent to a hidden user".

WhatsApp is likely to give group administrators more powers where they will be able to restrict all other members from sending text messages, photographs, videos, GIFs, documents or voice messages in case the admin thinks so.

Moxie Marlinspike, a security researcher who developed Signal, which licenses its protocol to WhatsApp, said that the current app design is reasonable, and that the report only sends a message to others not to "build security into your products, because that makes you a target for researchers, even if you make the right decisions". According to the German researchers, the power of any WhatsApp group lies in WhatsApp servers and not the group admin.

Lawmaker Fraudulently Took Cash Meant for Hurricane Sandy Disaster Relief, Prosecutors Say
They say she committed other fraud, including cheating the New York City Council out of discretionary funds meant for non-profits. She was arrested Tuesday morning and was expected to make a federal court appearance for arraignment later in the day.

Firstly, control of WhatsApp servers tends to be only possible by Facebook (which owns WhatsApp), and governments who can demand access to the servers. We built WhatsApp so group messages can not be sent to a hidden user.

In short, anyone who has control of a WhatsApp server could effortlessly insert new people into a private group. Once an attacker with server control accessed the conversation, he or she could also use it to selectively block any messages in the group, including those that ask questions, or provide warnings about the new entrant.

Facebook's Chief Security Officer Alex Stamos responded to the report on Twitter, saying, "Read the Wired article today about WhatsApp - scary headline!"

"Existing members are notified when new people are added to a WhatsApp group", the platform said. In such a case, it is impossible for them to share details with enforcement agencies that they themselves can not access. The fear for some people is that this security flaw will result in WhatsApp being coerced by government agencies into allowing the flaw to be exploited to eavesdrop on conversations. The attacker will not see any past messages to the group; those were e2e encrypted with keys the attacker doesn't have. 2. The membership of a group can be seen by tapping on "group info". "An attacker who compromises the Telegram server can, undetected, recover every message that was sent in the past and receive all messages transmitted in the future without anyone receiving any notification at all". "There is no way to suppress this message", he wrote.

Related Articles

  • Newcastle coach takes 'period of leave' after allegations

    Newcastle coach takes 'period of leave' after allegations

    Players who have given statements regarding the alleged bullying and racism will be interviewed by the club in the coming weeks. The club are not commenting on the matter, but it is understood that a grievance meeting has been scheduled.
    Teacher Arrested For Asking Why Superintendent Got A Raise

    Teacher Arrested For Asking Why Superintendent Got A Raise

    The Vermillion Parish schools referred questions to Fontana, who did not immediately respond to Fox News' request for comment. It remains unclear whether the marshal was acting on his own accord or on orders of the board members, according to KATC.
    Meghan Markle closes social media accounts after engagement to Prince Harry

    Meghan Markle closes social media accounts after engagement to Prince Harry

    Markle is grateful to everyone who has followed her social media accounts over the years", the palace statement said. Instead, updates about their lives and careers are posted on one set of accounts, run by Kensington Palace.
  • Fired engineer James Damore sues Google for discriminating against conservative white males

    Fired engineer James Damore sues Google for discriminating against conservative white males

    James Damore was sacked by Google after he issued a manifesto in which he stated that women were biologically inferior engineers. His claims: that Google unfairly discriminates against white men whose political views are unpopular with its executives.
    Astros acquire pitcher Gerrit Cole from Pirates

    Astros acquire pitcher Gerrit Cole from Pirates

    In five years with the Pirates, Cole has a 59-42 record with a 3.50 ERA, averaging 156 innings a season in 127 starts. His best season came in 2015 when he went 19-8 with a 2.60 ERA and 202 strikeouts in 32 starts.
    Egypt denies report that it accepts Trump's Jerusalem recognition

    Egypt denies report that it accepts Trump's Jerusalem recognition

    Jerusalem's status has always been one of the main obstacles to a peace agreement between Israel and the Palestinians. She said Pence plans to call on leaders to "work together to fight terrorism and improve our national security".
  • Martin Guptill returns to form to beat rain and Pakistan

    Martin Guptill returns to form to beat rain and Pakistan

    Martin Guptill and Colin Munro established an 83-run opening partnership for New Zealand before Hasan Ali picked Munro's wicket. Williamson and Guptill restored some order, before a superb diving catch at point from Shadab left New Zealand at 47 for 2.
    Sony Xperia XA2, Xperia XA2 Ultra selfie smartphones launched at CES 2018

    Sony Xperia XA2, Xperia XA2 Ultra selfie smartphones launched at CES 2018

    The new handsets aren't flagship devices, but rather mid-range phones that Sony has dubbed "super mid-tier smartphones". Both of these new Sony devices boast a stunning edge-to-edge display, meaning they're pleasingly thin when grasped.
    Ball State online programs rank among best-qualified in nation

    Ball State online programs rank among best-qualified in nation

    The University of Florida is the No. 1-ranked school in the Southeastern Conference for online bachelor's degree programs. Online programs in the University at Buffalo Graduate School of Education and School of Nursing were named to U.S.
  • Panthers part ways with Mike Shula and Ken Dorsey

    Panthers part ways with Mike Shula and Ken Dorsey

    However, he and Dorsey were unable to get that type of consistent production out of Newton and the passing game. Carolina went 11-5 during the regular season, but lost 31-26 to the Saints on Sunday in the wild-card round.
    First Alexa-enabled digital glasses to debut at CES

    First Alexa-enabled digital glasses to debut at CES

    While it is a high price point, "the ultimate goal is to have it under US$500 and we'll be able to do that" by next year, he said. Vuzix unveiled at CES a new pair of smart glasses to deliver augmented reality content from connected smartphones and computers.
    Liverpool reportedly unlikely to pursue top target

    Liverpool reportedly unlikely to pursue top target

    Klopp said: "We have never been in a better position in recent times, as a club, to react in the right way". Jardim has claimed that many things could happen in January and has kept the door open for Lemar sale.