Critical security flaw enables WhatsApp servers to add people to private groups

Researchers have uncovered a serious flaw in WhatsApp that allows anyone who control's WhatsApp servers to add new people to a group without obtaining permission from the administrator of the group.

The fact that those controlling WhatsApp's servers can access group messages destroys the idea of end-to-end encryption which was introduced to ensure that even messaging services won't be able to access individual communications.

Yesterday, we reported that FBI Director Christopher Wray asked messaging apps and social media companies to create encryption backdoors exclusively for authorities so that they could nab criminals and deter crimes without compromising the security of the public at large.

The idea of creating a backdoor itself is absurd, considering how a small hack that allows authorities to bypass end-to-end encryption can be exploited or abused by cyber criminals and enemy states as well, thereby compromising the privacy of every single individual using a particular messaging service.

So far, we have been led to believe that end-to-end encryption in mobile phones and messaging apps like iMessage, WhatsApp and Telegram ensures that messages sent and received by users are so well scrambled that the services themselves cannot access or read them. In such a case, it is impossible for them to share details with enforcement agencies that they themselves cannot access.

However, a group of security researchers from the Ruhr University Bochum in Germany have revealed why that is not the case anymore. In a revelation that could change how much people trust services that offer end-to-end encryption, they said that a critical flaw, or feature, in WhatsApp allows anyone who control's WhatsApp servers to add new people to a group without obtaining permission from the administrator of the group.

New people added to a particular WhatsApp group without the administrator's permission will be able to read new messages posted by members of the group, thereby compromising the confidentiality and privacy that members belonging to a private WhatsApp group enjoy.

'The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them. If I hear there's end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little,' said security researcher Paul Rösler.

The said flaw can be exploited or misused either by WhatsApp's own employees who control the firm's servers or hackers who manage to compromise its servers and thereby view profiles of individuals and groups and add new people to targeted groups without obtaining permission from administrators.

This flaw is exactly the kind of encryption backdoor that FBI Director Christopher Wray is looking for to enable authorities to intercept communications and to deter crimes. However, this doesn't bode well for indivduals who are concerned about the privacy and for journalists, human rights activists, defectors, and dissenters who could be targeted by despotic governments.

'Governments have targeted WhatsApp encryption in the past, demanding backdoors into their service and data. We exist at a time when governments worldwide are attempting to break down and intrude on the use of encryption, which disregards basic protections to human, and machine, privacy – what has become a basic right worldwide. As a result, any potential flaw that impacts WhatsApp’s privacy is cause for concern,' says Jing Xie, senior digital security researcher at Venafi.

'This particular flaw does not appear to originate from government intervention and WhatsApp’s transparency on the matter is commendable. However, this potential gap in security should serve as a reminder for businesses and users to keep a close eye on their encryption services and their cryptographic keys,' he adds.