Researchers at Germany’s Ruhr University Bochum released a technical research paper outlining security shortcomings in WhatsApp, that could allow unauthorized users to infiltrate and spy on private group chats.
WhatsApp, bought by Facebook in 2014, is widely considered a secure messaging platform that supports end-to-end encryption and is based on the app’s highly regarded Signal protocol, developed by Open Whisper Systems.
Some of the WhatsApp flaws are described in the paper’s abstract:
“Our systematic analysis reveals that (1) the communications’ integrity – represented by the integrity of all exchanged messages – and (2) the groups’ closeness – represented by the members’ ability of managing the group – are not end-to-end protected. We additionally show that strong security properties, such as Future Secrecy which is a core part of the one-to-one communication in the Signal protocol, do not hold for its group communication.”
The paper “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema”, was released last week.
According to a public statement, however, WhatsApp downplayed the impact of the group invite flaw since users can not secretly add a new member to a chat group.
Members would receive notifications when an unknown member joins the group.
Andy Greenberg from Wired.com also provided a nice article on the group invite bug.