A flaw in WhatsApp's group messaging protocol means that, despite its vaunted end-to-end (E2E) encryption, messages can still be read by unwanted eyes, researchers from Germany's Ruhr University Bochum have found.
Encryption has always been one of the more difficult elements of group chat; the best protection in the world cannot stop unintended readers from seeing messages once they've been decoded.
According to a newly-published paper, presented at the Real World Crypto security conference in Switzerland, an attacker who gains control of WhatsApp's servers can add people to any group chat, while hiding the messages that show them having done so:
"The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces, since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces."
This means that an attacker can add someone to a conversation and read all future messages sent in the chat (past messages are still hidden). Although participants will be notified about the new addition, with full control of the thread the attacker can choose to block messages about it.
Admittedly, the attack requires control of the WhatsApp servers. That immediately limits the potential of the exploit to employees, sophisticated hackers or governments who can convince the firm to give them access - but the risk is still there, and rather negates the value of WhatsApp's encryption.
The entire point of E2E encryption is that no-one outside of a message thread can read the conversation, even if they control the servers. Matthew Green, a professor of cryptography at John Hopkins University, told Wired, "It's just a total screwup."
WhatsApp acknowledged the flaw to Wired, although emphasised that adding participants completely covertly is impossible, because of the notification system. They also went on to recommend starting an entirely new group chat to talk about fishy new additions (and then another to talk about new members of that group. Then another, and another, and...you see where we're going with this).
Group chat app Signal was found to have the same problem as WhatsApp, but as well as controlling the server the attacker also needs to know the chat's Group ID - which is almost impossible to know without having physical access to one of the phones in the message thread.
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away