Slashdot Mirror

← Back to Stories (view on slashdot.org)

WhatsApp Security Flaws Could Be Exploited To Covertly Add Members To Group Chats (iacr.org)

Posted by msmash on from the security-woes dept.

A group of crytopgraphers from Germany's Ruhr University Bochum have uncovered flaws in WhatsApp's security that compromise the instant messaging service's end-to-end encryption. WhatsApp, owned by Facebook, has over one billion active users. In a paper published last week, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group -- a claim that might not bode well with privacy enthusiasts. From the paper: The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces. Further reading: Wired.

9 of 29 comments (clear)

  1. Are one-to-one sessions safe? by mi · · Score: 1

    TFA seems vague — are one-to-one sessions safe, or are they really groups (of two people) underneath and thus subject to the same problem?

    --
    In Soviet Washington the swamp drains you.
    1. Re:Are one-to-one sessions safe? by Anonymous Coward · · Score: 1

      "The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. " - Read. This exists on all chats.

  2. Privacy Enthusiast by backslashdot · · Score: 3, Funny

    As a privacy enthusiast, I am mad as hell about this.

    Posted anonymously. Thank God the slashdot Post Anonymously square will protect me.

  3. Server access? by Lanforod · · Score: 1

    With server access, I suspect pretty much any service has 'vulnerabilities' like this! I don't see how this is news. End to end encryption still relying on transit through secured servers that negotiate the starting sessions... There is a point of entry somewhere. If you want 100% guaranteed private communications over distance, setup your own wires and adhoc, encrypted network.

    1. Re:Server access? by ctilsie242 · · Score: 1

      Depends on the sensitivity of the data:

      For Grandma's cookies, it gets encrypted with a shared secret and a private key, both are on an offline computer that used a SD card for the data (USB can be used as an entry point.) Then the message is sent via different channels via a shared secret mechanism (x out of y pieces needed to reassemble) One channel could be E-mail, another WhatApp, another Telegram or TextSecure. Secure, but a pain in the bum.

      For stuff less secure, a PGP app and a messaging app works well enough, however, it gets old copying and pasting to encode/decode.

      Then, you have apps like Telegram or Signal which have a good reputation for security. If a government bans or demands backdoors in them; they are good.

      Then you have everything else, where security is at best theater.

    2. Re:Server access? by Khashishi · · Score: 1

      If a government bans or demands backdoors in them; they are good.

      Or, it's smoke and mirrors and the government already has backdoors in them. And even if the messenging app is secure, the OS, or the keyboard app, or the hardware drivers, or the hardware itself could have a backdoor.

  4. Facebook & security? by DogDude · · Score: 3, Interesting

    Using a Facebook application is insecure by definition of it being a Facebook application. Who cares if it's "secure" or not? That doesn't make sense.

    --
    I don't respond to AC's.
  5. Re:Backup by fph+il+quozientatore · · Score: 1

    Local backup is enabled by default, gdrive backup is not. At least that's what they claim (and it seems easy to verify).

    --
    My first program:

    Hell Segmentation fault

  6. Alternatives by Phoinix · · Score: 1

    The main problem is getting your friends to switch.

    1) Threema $
    https://techcrunch.com/2014/02...
    https://www.youtube.com/watch?...
    2) Chatsecure thru Orbot
    3) Riot.im
    4) Wire
    5) Telegram
    6) Signal
    7) Textsecure
    8) Wickr
    9) Jitsi Meet
    10) Stride

    I was willing to buy like 10-20 licenses of Threema, but Google Play does not allow "app gifts"...
    Other methods will depend on geographical location (Google gift cards depend on the country address of each account) or require bit more technical knowledge (directly from Threema website).

    Just my 2 cents