Flaw in WhatsApp and Signal exposes group chats to 'extremely difficult' hacks

Image Reuters
New security flaw allows hackers to eavesdrop on your Whats App chats 0

The researchers presented their findings at the Real World Cryptosecurity conference in Zurich on Wednesday (10 January), Wired reports.

Encryption has always been one of the more hard elements of group chat; the best protection in the world can not stop unintended readers from seeing messages once they've been decoded. But attackers that can control of a Threema server can replay messages or add a previously removed user back into a group, the researchers found. The WhatsApp servers can only be controlled by staff, governments who legally demand access, and high-level hackers.

Researchers at the Ruhr-Universität Bochum (RUB) in Germany found that anyone who controls WhatsApp or Signal servers can covertly add new members to any private group, allowing them to snoop on group conversations, all without the permission of the group administrator. This means that anyone who is able to gain access to the company's servers can spoof invitations and add themselves to a group, even making themselves the administrator.

Once a new member who is uninvited has been added to the group, the confidentiality of the group will be broken as the member can access all the new messages and read them, claims one of the researchers.

But management at WhatsApp's parent company, Facebook insisted that there was no security threat.

Perhaps even more troubling, a compromised admin with control of the server could manipulate the messages that would alert group members that someone new had been added, according to the researchers.

Facebook-owned WhatsApp added end-to-end encryption to every conversation two years ago. "We built WhatsApp so group messages can not be sent to a hidden user".

Meghan Markle deletes social media accounts
Last month, the U.S. actress had 1.9 million people following her posts on Instagram , and more than 350,000 Twitter followers. She added that Ragland is so controlling that she wants to live with Markle and Harry in the palace after they get married.

Lenovo has a Google Home with a Display
LG is the third manufacturer to get on board the bandwagon as they too have announced the release of the LG ThinQ WK9. The whole idea behind Smart Displays is to serve as an in-house assistant for all your daily needs.

J&K Assembly is most empowered in India: CM Mehbooba Mufti
"She should have expressed same sadness and anguish in house but she did not". This is unedited, unformatted feed from the Press Trust of India wire.

A flaw in popular encrypted chat programs WhatsApp, Threema and Signal theoretically allows nearly anyone to control important servers, bypass encryption and add themselves to group chats. While the vulnerability is not one that poses immediate concerns - it requires direct access to WhatsApp servers - it still raises questions about the security of the platform.

Now, it's important to note the limits of this security flaw: Whoever was exploiting it would have to be in control of the messaging app's servers.

It's not a problem that will impact most users, but chat apps like Signal and WhatsApp have been used for private conversations from everyone ranging from politicians to government dissenters.

But this new flaw means it would now technically be possible to infiltrate group messages, bypassing encryption.

New additions to the group chat would be notified to all members of the chat just like normal.

"He can cache all the messages and then decide which get sent to whom and which not", said Rösler when speaking to Wired. However, this potential gap in security should serve as a reminder for businesses and users to keep a close eye on their encryption services and their cryptographic keys, ' he adds. They will have to use the "Message Admin" button to post a message or share media to the group.

Stamos objected to the report, stating that there are multiple ways to check and verify the members of a group chat.

Related News:



Most liked

Ford Motor Company set to launch diesel truck
The lawsuit involves F-250 and F-350 Super Duty trucks sold from 2011 and 2017. Bosch is named as a defendant in the proposed class-action case.

Cyberpunk 2077's Twitter Account Teases about the Game?
Cyberpunk 2077 started off as a role-playing game, which is reported to be set in the open sci-fi world of Night City. Fist revealed back in 2013, that's also when communications from Cyberpunk 2077's Twitter account ceased.

Jay Bruce agrees to deal with New York Mets
Team officials have spoken in recent days to Jay Bruce's agent, and a reunion with the veteran outfielder remains a possibility. In 2017, he batted.254/.324/.508, had 29 doubles, two triples, 36 home runs, and drove in 101 runs with both teams.

Armed robbers steal millions from Ritz Paris hotel
The Luftwaffe set up their regional headquarters at the Ritz during the Second World War. "Passers-by took refuge in the hotel". Police stand in Rue Cambon at the back entrance of the Ritz luxury hotel in Paris on 10 January, 2018, after an armed robbery.

Steve Kerr Says Steph Curry's Latest Ankle Injury is Not Serious
He's listed at 6-9 (but closer to seven-feet) with a wingspan around 7-4 or 7-5. As for the health of Curry, the injury to his right ankle doesn't sound serious.

Kylie Jenner Freaking Out Over 60 Pound Pregnancy Weight Gain
A source told Us Weekly that there is a simple reason why Jenner prefers to remain out of the spotlight during her pregnancy. The rumor mill revealed that she has been dumped by the father of her alleged baby, #Travis Scott .

IRS Issues List Of 'Dirty Dozen' Tax Scams
The report pointed to the reduction in IRS funding of approximately 20 percent since 2010. A new tax law means millions of people will have questions about their taxes.

Total War goes to China in Three Kingdoms
It is a brutal and oppressive regime, and as Dong Zhuo's power grows, the empire slips further into the cauldron of anarchy. Total War: Three Kingdoms is without a hard release date as yet, but is expected at some point in autumn/fall 2018.

Sweet dreams: a good night's sleep helps you cut sugar
In the study, 21 participants had sleep consultations in order to extend their visit to the land of nod by 90 minutes each night. Those who stay in bed longer were found to consume 2½ fewer teaspoons of sugar per day - around 40 calories.

Andre Villas-Boas in Hospital After Dakar Crash
It said: "Just to tell everyone that both me and [co-driver] Ruben [Faria] are safe and well and back in the bivouac". Villas-Boas later took to Instagram to confirm he and his co-driver Ruben Faria had withdrawn from the race.

Tennessee pastor accused of sexual assault has book canceled
Lead Pastor Chris Conlee and the church leadership says it knew about the incident in Texas and has expressed support for Savage. Woodson wrote that Savage pulled over the vehicle , unzipped his jeans and pulled out his penis before asking her to suck it.

Winter Storm Brings Rain, Winds and Possibly Snow to San Diego
There is moderate confidence that a winter storm will bring significant snow and ice accumulations to southern IN/central KY. Sierra ski resorts, which have slogged through the winter so far, said the fresh snow will likely bring more customers.

Sevilla, United in ticket war
Ultimately Sevilla have not agreed to significantly lower the price to what we view as a reasonable level. United pledged any extra revenue would be donated to the club's foundation.

Magnitude 7.6 quake hits Central America
A major natural disaster , one of the most severe in the past 100 years, struck off the coast of Honduras late Tuesday night. Authorities from Panama, Costa Rica, Nicaragua, Honduras, Guatemala and the Virgin Islands activated tsunami warnings.

Body Of Missing OC Teen Found, Death Considered A Homicide
Bernstein's friend eventually began sending text messages to him when he didn't return, but did not hear back from him, she said. Bernstein's phone had stopped functioning and was turned off around 11:30 p.m., Della Donna said.