WhatsApp Security Flaws Could Be Exploited To Covertly Add Members To Group Chats (iacr.org) 29
A group of crytopgraphers from Germany's Ruhr University Bochum have uncovered flaws in WhatsApp's security that compromise the instant messaging service's end-to-end encryption. WhatsApp, owned by Facebook, has over one billion active users. In a paper published last week, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group -- a claim that might not bode well with privacy enthusiasts. From the paper: The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces. Further reading: Wired.
Are one-to-one sessions safe? (Score:1)
TFA seems vague — are one-to-one sessions safe, or are they really groups (of two people) underneath and thus subject to the same problem?
Re: (Score:1)
"The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. " - Read. This exists on all chats.
Re: (Score:2)
Privacy Enthusiast (Score:4, Funny)
As a privacy enthusiast, I am mad as hell about this.
Posted anonymously. Thank God the slashdot Post Anonymously square will protect me.
Server access? (Score:2)
Re: (Score:2)
Depends on the sensitivity of the data:
For Grandma's cookies, it gets encrypted with a shared secret and a private key, both are on an offline computer that used a SD card for the data (USB can be used as an entry point.) Then the message is sent via different channels via a shared secret mechanism (x out of y pieces needed to reassemble) One channel could be E-mail, another WhatApp, another Telegram or TextSecure. Secure, but a pain in the bum.
For stuff less secure, a PGP app and a messaging app works we
Re: (Score:2)
If a government bans or demands backdoors in them; they are good.
Or, it's smoke and mirrors and the government already has backdoors in them. And even if the messenging app is secure, the OS, or the keyboard app, or the hardware drivers, or the hardware itself could have a backdoor.
Facebook & security? (Score:4, Interesting)
Alternatives (Score:1)
The main problem is getting your friends to switch.
1) Threema $
https://techcrunch.com/2014/02... [techcrunch.com]
https://www.youtube.com/watch?... [youtube.com]
2) Chatsecure thru Orbot
3) Riot.im
4) Wire
5) Telegram
6) Signal
7) Textsecure
8) Wickr
9) Jitsi Meet
10) Stride
I was willing to buy like 10-20 licenses of Threema, but Google Play does not allow "app gifts"...
Other methods will depend on geographical location (Google gift cards depend on the country address of each account) or require bit more technical knowledge (directly from Threem
Jesus fuck, do people proofread papers anymore? (Score:1)
Entering the group however leaves traces since this operation is listed in the graphical user interface.
It's missing commas around "however." It should say:
Entering the group, however, leaves traces since this operation is listed in the graphical user interface.
Seriously? This is supposed to pass for a serious article these days? What the fuck. Proofread your goddamn papers, people— and stop sucking at grammar!