WhatsApp Security Flaws Could Be Exploited To Covertly Add Members To Group Chats (iacr.org)

← Back to Stories (view on slashdot.org)

WhatsApp Security Flaws Could Be Exploited To Covertly Add Members To Group Chats (iacr.org)

Posted by msmash on Wednesday January 10, 2018 @06:01AM from the security-woes dept.

A group of crytopgraphers from Germany's Ruhr University Bochum have uncovered flaws in WhatsApp's security that compromise the instant messaging service's end-to-end encryption. WhatsApp, owned by Facebook, has over one billion active users. In a paper published last week, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group -- a claim that might not bode well with privacy enthusiasts. From the paper: The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces. Further reading: Wired.

29 comments

Min score:

Reason:

Sort:

Are one-to-one sessions safe? by mi · 2018-01-10 06:06 · Score: 1

TFA seems vague — are one-to-one sessions safe, or are they really groups (of two people) underneath and thus subject to the same problem?

--
In Soviet Washington the swamp drains you.
1. Re:Are one-to-one sessions safe? by Anonymous Coward · 2018-01-10 06:18 · Score: 1
  
  "The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. " - Read. This exists on all chats.
2. Re:Are one-to-one sessions safe? by Anonymous Coward · 2018-01-10 06:30 · Score: 0
  
  TFA seems vague -- are one-to-one sessions safe, or are they really groups (of two people) underneath and thus subject to the same problem?
  Is it on the internet involving someone else's servers?
  Then the fucking answer is no.
3. Re:Are one-to-one sessions safe? by Anonymous Coward · 2018-01-10 06:39 · Score: 0
  
  "The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. " - Read. This exists on all chats.
  Speaking of reading, you should try it some time. From TFA:
  
  "...WhatsApp attack takes advantage of a simple bug. Only an administrator of a WhatsApp group can invite new members, but WhatsApp doesn't use any authentication mechanism..."
  
  "...the company could fix its more egregious group chat flaw by adding an authentication mechanism for new group invitations....Until they do, WhatsApp's most sensitive users should consider sticking with one-to-one conversations..."
4. Re:Are one-to-one sessions safe? by Anonymous Coward · 2018-01-10 06:48 · Score: 0
  
  That doesn't stop the problem, you're reading old information.
5. Re:Are one-to-one sessions safe? by Anonymous Coward · 2018-01-10 12:52 · Score: 0
  
  Can you substantiate your insinuations or are you just trumping?
6. Re:Are one-to-one sessions safe? by Anonymous Coward · 2018-01-10 21:10 · Score: 0
  
  Is it on the internet involving someone else's servers?
  Then the fucking answer is no.
  
  This.
I'm not a conspiracy theorist but ... by Anonymous Coward · 2018-01-10 06:08 · Score: 0

... I'm starting to feel that many of these bugs that are discovered almost on a daily basis were actually introduced by design
Backup by Anonymous Coward · 2018-01-10 06:20 · Score: 0

IMHO, as soon as you have (it's enabled by default) backup of msgs to a gmail account, you lose any protection provided by PTP encryption. Isn't it so?
1. Re:Backup by fph+il+quozientatore · 2018-01-10 07:21 · Score: 1
  
  Local backup is enabled by default, gdrive backup is not. At least that's what they claim (and it seems easy to verify).
  
  --
  My first program:
  Hell Segmentation fault
Privacy Enthusiast by backslashdot · 2018-01-10 06:30 · Score: 3, Funny

As a privacy enthusiast, I am mad as hell about this.
Posted anonymously. Thank God the slashdot Post Anonymously square will protect me.
1. Re:Privacy Enthusiast by Anonymous Coward · 2018-01-10 09:01 · Score: 0
  
  Posted anonymously. Thank God the slashdot Post Anonymously square will protect me.
  Only if you check said square, my friend backslashdot #95548
  (But maybe they did! Conspiracy!)
2. Re:Privacy Enthusiast by Anonymous Coward · 2018-01-10 12:56 · Score: 0
  
  Are you going to take it anymore?
Server access? by Lanforod · 2018-01-10 06:31 · Score: 1

With server access, I suspect pretty much any service has 'vulnerabilities' like this! I don't see how this is news. End to end encryption still relying on transit through secured servers that negotiate the starting sessions... There is a point of entry somewhere. If you want 100% guaranteed private communications over distance, setup your own wires and adhoc, encrypted network.
1. Re:Server access? by ctilsie242 · 2018-01-10 07:20 · Score: 1
  
  Depends on the sensitivity of the data:
  For Grandma's cookies, it gets encrypted with a shared secret and a private key, both are on an offline computer that used a SD card for the data (USB can be used as an entry point.) Then the message is sent via different channels via a shared secret mechanism (x out of y pieces needed to reassemble) One channel could be E-mail, another WhatApp, another Telegram or TextSecure. Secure, but a pain in the bum.
  For stuff less secure, a PGP app and a messaging app works well enough, however, it gets old copying and pasting to encode/decode.
  Then, you have apps like Telegram or Signal which have a good reputation for security. If a government bans or demands backdoors in them; they are good.
  Then you have everything else, where security is at best theater.
2. Re:Server access? by Khashishi · 2018-01-10 07:43 · Score: 1
  
  If a government bans or demands backdoors in them; they are good.
  Or, it's smoke and mirrors and the government already has backdoors in them. And even if the messenging app is secure, the OS, or the keyboard app, or the hardware drivers, or the hardware itself could have a backdoor.
3. Re:Server access? by Anonymous Coward · 2018-01-10 08:41 · Score: 0
  
  "both are on an offline computer that used a SD card for the data (USB can be used as an entry point.)"
  An SD card and a typical USB flash drive both present themselves to the OS as mass storage devices. I might be wrong on this next part, but I think SD card readers built in to computers are typically connected to the computer via the internal USB controller.
Look, if you're on facefuck by Anonymous Coward · 2018-01-10 06:36 · Score: 0

nothing else you do to fuck yourself matters/.
Transparency report by Anonymous Coward · 2018-01-10 06:49 · Score: 0

<tinfoil>
Does the Facebook transparency report include numbers on how many times they have been directed to monitor conversations?
</tinfoil>
Facebook & security? by DogDude · 2018-01-10 07:18 · Score: 3, Interesting

Using a Facebook application is insecure by definition of it being a Facebook application. Who cares if it's "secure" or not? That doesn't make sense.

--
I don't respond to AC's.
1. Re:Facebook & security? by Anonymous Coward · 2018-01-10 19:21 · Score: 0
  
  https://www.sheragim.ir/push-notification/
OMG! New Flash! by Anonymous Coward · 2018-01-10 07:19 · Score: 0

"attacker A, who controls the WhatsApp server"
Someone with control of an application server can make the application do whatever they want! We're all doomed!
Who is paying for all this recent security research into the obvious? And more importantly... why didn't I think of it and get in on the racket?
well done by Anonymous Coward · 2018-01-10 07:48 · Score: 0

If someone gains control of whatsapp servers yes they can obviously do this
If someone got control of googles servers they could skew search results... it's the same with everything
Alternatives by Phoinix · 2018-01-10 08:34 · Score: 1

The main problem is getting your friends to switch.
1) Threema $
https://techcrunch.com/2014/02...
https://www.youtube.com/watch?...
2) Chatsecure thru Orbot
3) Riot.im
4) Wire
5) Telegram
6) Signal
7) Textsecure
8) Wickr
9) Jitsi Meet
10) Stride
I was willing to buy like 10-20 licenses of Threema, but Google Play does not allow "app gifts"...
Other methods will depend on geographical location (Google gift cards depend on the country address of each account) or require bit more technical knowledge (directly from Threema website).
Just my 2 cents
this is still a thing? by Anonymous Coward · 2018-01-10 08:44 · Score: 0

whatsapp is still a thing? people are stupid.
Jesus fuck, do people proofread papers anymore? by flargleblarg · 2018-01-10 09:29 · Score: 0

TFA contains a ridiculously embarrassing grammatical error in a sentence:

Entering the group however leaves traces since this operation is listed in the graphical user interface.
It's missing commas around "however." It should say:

Entering the group, however, leaves traces since this operation is listed in the graphical user interface.
Seriously? This is supposed to pass for a serious article these days? What the fuck. Proofread your goddamn papers, people— and stop sucking at grammar!
1. Re:Jesus fuck, do people proofread papers anymore? by Anonymous Coward · 2018-01-10 11:13 · Score: 0
  
  No, they just count publications. This apparently counts as one.
One man's bug by Anonymous Coward · 2018-01-10 11:31 · Score: 0

is another social networking, gov brown noser's feature.