WhatsApp is an instant messaging platform which is preferred by millions of users across the globe, thanks to the clean user interface.
Researchers announced they had discovered flaws in WhatsApp's security at the Real World Crypto security conference in Switzerland, Wired reports. "This means the privacy of your end-to-end encrypted group chat is only guaranteed if you actually trust the WhatsApp server".
The researchers also claim that they notified WhatsApp of the flaw, but were told that the group invitation bug was merely a "theoretical" problem, and thus did not qualify for Facebook's bug bounty program.
"Anyone who controls the app's servers could insert new people into private group chats without needing admin permission", the report said. All group members are deemed administrators, and can thus add a new group member by sending an encrypted group management message to the other participants.
The research group turned its attention to messaging tools Signal, WhatsApp, and Threema, but it was only Facebook's WhatsApp that gave cause for concern. But the researchers have found that anyone having control of the server can break the authentication process that grants them the privilege that is needed to add new members to the private groups. Also, if the attacker controls the server, he or she can block the messages sent by users who might question the new addition or warn others about it.
While WhatsApp boasts great end-to-end encryption of messages which is great for those who crave privacy - but a source of chagrin for many in the law enforcement community - it seems the messaging service is susceptible to attacks on user privacy. "The content of messages sent in WhatsApp groups remains protected by end-to-end encryption".
Area forecasts call for snow, wind
They warn the timing of the shift in temperatures will be important, "as a freeze is possible immediately following heavy rain". Friday we are back to snow, and weather experts say a significant snowfall could come Saturday for most of southern Ontario.
It is common for existing members to be alerted when new members are added to the WhatsApp group.
But Facebook-owned WhatsApp says the problem isn't as bad as the researchers are making out. But not the older messages and the ones for which the stranger doesn't have the end-to-end encryption key. We built WhatsApp so group messages can not be sent to a hidden user.
Stamos objected to the report, stating that there are multiple ways to check and verify the members of a group chat.
But the researchers said it would be possible to get the server to jumble up the way in which messages are sent, so that members would not receive this notification or be aware of the newcomer. However, this potential gap in security should serve as a reminder for businesses and users to keep a close eye on their encryption services and their cryptographic keys, ' he adds. In such a case, it is impossible for them to share details with enforcement agencies that they themselves can not access.
But, as it turns out, the Signal protocol does not check whether the message was sent by an actual member of the group, meaning that anyone outside the group can send the message and, consequently, add a new user to the group.