A team of German security experts has uncovered a very serious security vulnerability with WhatsApp’s servers. This flaw could potentially allow hackers to join private group chats without an invitation from the group administrator.
WhatsApp is one of the most popular messaging apps out there as evidenced by its over 1.3 billion monthly active users. Given the scale of the platform, it shouldn’t come as a surprise to anyone that security is a top priority for the Facebook-owned company. To that end, WhatsApp introduced end-to-end encryption a couple of years back and implemented a number of other measures to ensure the privacy of its users. Even with those measures in place, however, security experts have discovered that the app still has its vulnerabilities and one, in particular, could allow hackers to eavesdrop on private conversations.
The discovery was made by a team of security researchers at the Ruhr University in Bochum, Germany who detailed their findings in a paper published last week. The paper was discussed at the Real World Crypto security conference hosted in Zurich, Switzerland and touched upon one of WhatsApp’s most serious security flaws. According to the experts, the vulnerability could allow, at least in theory, a hacker to join private group chats without being invited. Under normal circumstances, the group administrator is the only person who can invite new members to the group, but apparently, WhatsApp doesn’t actually have an authentication mechanism to verify the invite.
Even more concerningly, it would appear that once a potential hijacker ends up in the group chat, he would be able to control incoming messages in a number of ways. While the hacker would only be able to see future messages and not past conversations, he would be able to control the order in which they appear in chat and even prevent certain group members from seeing them. This would be particularly useful in situations where certain users start suspecting the infiltrator, as accusatory messages could simply be deleted before reaching the other group members, thus allowing the hacker to effectively cover their tracks.
Although this security flaw sounds serious, and it most certainly is, there is a bit of good news for WhatsApp users worried about their privacy. In order for hijackers to be able to infiltrate group chats and control messages, they would first need to be able to control WhatsApp’s server. This feat could only be achieved by a very talented hacker, however, it’s worth pointing out that certain governments with legal access and, of course, certain WhatsApp employees are also able to control the servers.
WhatsApp has apparently been aware of this issue for some time but company representatives have stated that there’s no real cause for concern because the app always notifies users when a new member has joined the group. Be that as it may, a fix to the core problem would still be preferable. If a hacker is skilled enough to take control of the servers, he might also be able to fool people into thinking he was actually invited to the group chat in certain situations.