Security researchers recently claimed that a WhatsApp vulnerability could allow attackers to invade private group chats. However, a Facebook executive maintained that the messaging app’s group chat feature was secure.
The WhatsApp security flaw was revealed in a comprehensive study conducted by Paul Rösler, Christian Mainka, and Jörg Schwenk from Germany’s Ruhr-University Bochum. The paper was released at the recent Real World Crypto security conference in Switzerland.
WhatsApp, a Facebook-owned messaging software, is one of the widely used communication apps with around a billion users worldwide. It introduced end-to-end encryption, which is also applied to its group chat feature, but the researchers claimed to have found a couple of weaknesses despite this security measure.
In the paper, it was mentioned that the discovered WhatsApp group chat vulnerabilities could allow an attacker “to burgle into a group” and “forge acknowledgments.”
An attacker could reportedly tinker with WhatsApp’s group protocol and rig messages from the server so they would “become a member of the group or add other users to the group without any interaction of the other users.”
Ultimately, the researchers claimed that the vulnerability could let an attacker who had access to the WhatsApp’s server to “break the transport layer security” and “take full control over a group” without the need for a confirmation from an administrator.
Once the WhatsApp server has been compromised, attackers can reportedly “reorder and drop messages in the group” or “read their content first and decide in which order they are delivered to the members.”
The company’s Chief Security Officer, Alex Stamos, reacted to the study through a series of social media posts on Twitter.
WIRED was one of the publications that reported on the research paper. Stamos shared this report on Twitter and commented: “Read the Wired article today about WhatsApp – scary headline! But there is no a secret way into WhatsApp groups chats.”
Stamos also mentioned in a number of follow-up posts that they had already studied the research “carefully” and explained that if an unauthorized person attacked following the researchers’ experiment, it “would necessitate a change to the way WhatsApp provides a popular feature called group invite links.”
“The content of messages sent in WhatsApp groups remain protected by end-to-end encryption,” Stamos added.