Research that claims WhatsApp’s group messaging feature can be compromised by an attacker is being called into question by WhatsApp and the developer of the underlying messaging technology.
Last week, a team of researchers from Germany’s Ruhr University Bochum released an academic paper outlining flaws in WhatsApp’s group messaging service. They also claim to have found a less serious flaw in Signal. Signal is the messaging technology WhatsApp is based on.
In the case of WhatsApp, researchers claim the flaw could allow someone who controls a WhatsApp server to add an intruder to an encrypted group messaging session and read new messages shared between users and more.
The concern is the technique offers a way for WhatsApp to be pressured by the governments to access an encrypted group conversation. Another concern is if an attacker gains control of a WhatsApp server they too would be able to eavesdrop on encrypted group conversations.
WhatsApp, acquired by Facebook in 2014, supports end-to-end encryption and is considered a secure messaging platform based on the highly regarded Signal protocol, developed by Open Whisper Systems.
The paper, called More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema (PDF), asserts: “The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group.”
Once in, the WhatsApp server can be manipulated to “stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members,” researchers wrote.
More importantly, the rogue WhatsApp server admin could block group management messages alerting group members the infiltrator had joined the group.
That’s where WhatsApp and Moxie Marlinspike, the developer of the Signal protocol, argue researchers have got it wrong.
“All group members will see that the attacker has joined. There is no way to suppress this message,” Marlinspike posted a response to the researcher’s claims on the Hacker News forum on Wednesday.
WhatsApp also released a public statement, “We’ve looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group.” It said even if an attacker had admin control over the group, they still couldn’t create a “hidden” user from the group.
Marlinspike added, the attacker can’t view past group messages because they are end-to-end encrypted with encryption keys the attacker doesn’t have.
Matthew Green, a cryptographer, computer science professor, and researcher at Johns Hopkins University, said in a blog post Wednesday that the problem stems from the fact that the “standard Signal protocol doesn’t work quite as well for group messaging” because it’s not “optimized for broadcasting messages to many users.”
Green said WhatsApp and Signal handle invites in a similar way.
“From a UX perspective, the idea is that only one person actually initiates the adding of a new group member. This person is called the ‘administrator’. This administrator is the only human being who should actually do anything — yet, here one click must cause some automated action on the part of every other group members’ devices. That is, in response to the administrator’s trigger, all devices in the group chat must send their keys to this new group member,” Green said.
Compared to WhatsApp, an attack on Signal group messaging session is harder. That’s because Signal requires invites to include a random 128-bit group ID number that “is never revealed to non-group-members or even the server,” Green explains. “That pretty much blocks the attack,” he said.
Alternatively, WhatsApp servers are instrumental in managing group messaging. WhatsApp, “determines who is an administrator and thus authorized to send group management messages,” Green said.
Also problematic, neither are WhatsApp group management messages end-to-end encrypted or signed. “The flaw here is obvious: since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group. This means the privacy of your end-to-end encrypted group chat is only guaranteed if you actually trust the WhatsApp server,” Green said.
Ruhr University Bochum researchers propose fixes, such as requiring Signal and WhatsApp to ensure management messages are signed by group administrators only.
WhatsApp declined to say if the fixes the researchers proposed are being considered.
WhatsApp does have a track record of pushing back on government requests to break encryption. The company supported Apple in its stance against the FBI’s request to circumvent the encryption on a terrorist’s iPhone. A Facebook employee was jailed in Brazil for refusing to cooperate with government authorities to create a back door in the service. It has also publicly rejected calls by the U.K. government to weaken encryption.