In their paper titled More is Less: On the End-to-End security of group chats in Signal, WhatsApp and Threema, they have outlined a series of flaws that allows an impostor to invade your group chats or worse yet, control who gets added or deleted to the group.
This is a big problem, because WhatsApp prides itself on end-to-end encryption for its messages.
According to the researchers, in a pairwise communication, where only two users communicate with each other, the server has a limited role to pay, but in a group conversation, the role of servers increases to merge the entire process and it is here where the problem of vulnerability kicks in. Given that the security and privacy of the users is a priority for WhatsApp, they collect very little information and all the messages are end-to-end encrypted.
"The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group", the paper states. Once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group, including those that ask questions, or provide warnings about the new entrant.
HP laptops being recalled due to battery overheating issues
HP that it's recalling batteries for select laptop models, including some in the ProBook , Envy , and ZBook families. This mode will discharge the battery and prevent it from being recharged until the battery is replaced.
Group chat app Signal was found to have the same problem as WhatsApp, but as well as controlling the server the attacker also needs to know the chat's Group ID - which is nearly impossible to know without having physical access to one of the phones in the message thread. A report by Wired has confirmed these findings with a WhatsApp spokesperson. Existing members are notified when new people are added to a WhatsApp group. "From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats", company said in its blog post.
Everyone in the group would see a message that a new member had joined, seemingly at the invitation of the unwitting administrator. "The main exception to this is former group members, who already know the group ID - and can now add themselves back to the group with impunity".
While the exploits in Threema and Signal seemed to be relatively harmless, WhatsApp had far more significant gaps in security.
WhatsApp also stated that preventing the attack would put an end to its group invite link tool which allows anyone to enter a group just by tapping on a URL.
WhatsApp acknowledged the flaw to Wired, although emphasised that adding participants completely covertly is impossible, because of the notification system. "There is no way to suppress this message".