WhatsApp is the most widely used messaging and calling app with over a billion active users. The app provides a feature known as “WhatsApp Group Chat” where more than one members can interact with each other in real time. However, a research paper published by Paul Rösler, Christian Mainka, and Jörg Schwenk at Ruhr-Universität in Bochum has pointed out a flaw in WhatsApp group chat security.
The research paper claims that WhatsApp security features could allow anyone to add themselves to any group conversation and gain access to messages being transmitted to and fro by the members.
How Does WhatsApp Group Chat Work?
In order to have deep understanding of the flaw, let’s first take a look at how WhatsApp group chat works. Normally Chat Groups are managed by one person termed as “Group Admins” who have full control of adding or removing a member from the group, setting up group policies and deleting the group chat in total.
Whilst adding a member, the Admin sends a request to the WhatsApp server with the ID of the new member. The server authenticates the Admin and confirms the rights to add a new member in the group. The server then sends a signal to all the group members notifying that a new member has been added to their mutual group.
WhatsApp Group Chat Security Flaw
Everything sounds good until here except another minor detail. We mean the end-to-end encryption that WhatsApp uses for sending messages between users. However, the messages between WhatsApp server and a Group Admin are not end-to-end encrypted. These messages use regular encryption technique and can be cracked if someone takes control of a WhatsApp server.
It means that if anybody wants to have an access to a private chat, he/she has to find some rogue WhatsApp employee who is willing to compromise the security of a server or try and hack a WhatsApp server by oneself.
Is There any Risk?
You may be thinking if the situation is really worrying? The short answer is “No” because chances of someone to have unauthorised access to a WhatsApp server are pretty low. There may be a distressing stage when a government agency or a third party requests WhatsApp to allow an access to a private Group Chat and WhatsApp decides in their favour.
Well, the access to WhatsApp sever will not be anonymous. As soon as someone is granted access to a group chat, all the members are notified of the inclusion of new member. That means in order to keep your group secret enough, the Admins have to carefully any such addition that is not initiated by them. If it is someone you think should not be present in the group, it is probably time to jump ship.
Although WhatsApp claims to have enhanced security but it is no good news that a person other than Admin can add someone to a chat. WhatsApp really needs to do something about it to ensure complete security of the app. The research paper and its findings will be presented in Zurich at World Crypto Conference.