Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Facebook Privacy Security Social Networks

WhatsApp Security Flaws Could Be Exploited To Covertly Add Members To Group Chats (iacr.org) 29

A group of crytopgraphers from Germany's Ruhr University Bochum have uncovered flaws in WhatsApp's security that compromise the instant messaging service's end-to-end encryption. WhatsApp, owned by Facebook, has over one billion active users. In a paper published last week, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group -- a claim that might not bode well with privacy enthusiasts. From the paper: The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces. Further reading: Wired.
This discussion has been archived. No new comments can be posted.

WhatsApp Security Flaws Could Be Exploited To Covertly Add Members To Group Chats

Comments Filter:
  • TFA seems vague — are one-to-one sessions safe, or are they really groups (of two people) underneath and thus subject to the same problem?

    • by Anonymous Coward

      "The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. " - Read. This exists on all chats.

  • by backslashdot ( 95548 ) on Wednesday January 10, 2018 @02:30PM (#55902429)

    As a privacy enthusiast, I am mad as hell about this.

    Posted anonymously. Thank God the slashdot Post Anonymously square will protect me.

  • With server access, I suspect pretty much any service has 'vulnerabilities' like this! I don't see how this is news. End to end encryption still relying on transit through secured servers that negotiate the starting sessions... There is a point of entry somewhere. If you want 100% guaranteed private communications over distance, setup your own wires and adhoc, encrypted network.
    • Depends on the sensitivity of the data:

      For Grandma's cookies, it gets encrypted with a shared secret and a private key, both are on an offline computer that used a SD card for the data (USB can be used as an entry point.) Then the message is sent via different channels via a shared secret mechanism (x out of y pieces needed to reassemble) One channel could be E-mail, another WhatApp, another Telegram or TextSecure. Secure, but a pain in the bum.

      For stuff less secure, a PGP app and a messaging app works we

      • If a government bans or demands backdoors in them; they are good.

        Or, it's smoke and mirrors and the government already has backdoors in them. And even if the messenging app is secure, the OS, or the keyboard app, or the hardware drivers, or the hardware itself could have a backdoor.

  • Facebook & security? (Score:4, Interesting)

    by DogDude ( 805747 ) on Wednesday January 10, 2018 @03:18PM (#55902899)
    Using a Facebook application is insecure by definition of it being a Facebook application. Who cares if it's "secure" or not? That doesn't make sense.
  • The main problem is getting your friends to switch.

    1) Threema $
    https://techcrunch.com/2014/02... [techcrunch.com]
    https://www.youtube.com/watch?... [youtube.com]
    2) Chatsecure thru Orbot
    3) Riot.im
    4) Wire
    5) Telegram
    6) Signal
    7) Textsecure
    8) Wickr
    9) Jitsi Meet
    10) Stride

    I was willing to buy like 10-20 licenses of Threema, but Google Play does not allow "app gifts"...
    Other methods will depend on geographical location (Google gift cards depend on the country address of each account) or require bit more technical knowledge (directly from Threem

  • TFA contains a ridiculously embarrassing grammatical error in a sentence:

    Entering the group however leaves traces since this operation is listed in the graphical user interface.

    It's missing commas around "however." It should say:

    Entering the group, however, leaves traces since this operation is listed in the graphical user interface.

    Seriously? This is supposed to pass for a serious article these days? What the fuck. Proofread your goddamn papers, people— and stop sucking at grammar!

I came, I saw, I deleted all your files.

Working...