A team of crytopgraphers from Germany’s Ruhr University Bochum say they have uncovered flaws in WhatsApp’s security that compromise the messaging service’s vaunted end-to-end encryption.
As described in a newly published paper, “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema,” anyone who controls WhatsApp’s servers, including company employees, can add members to any group without permission from its members.
From the paper:
5.4 Impact of the Weaknesses’ Combination
The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces.
Only admins can add new members to private groups. But, as the researchers found, anyone in control of the server can spoof the authentication process, essentially granting themselves the privileges necessary to add new members who can snoop on private conversations. The obvious examples that come to mind are hackers who manage to gain access to WhatsApp servers or a government successfully pressuring WhatsApp to give it access to targeted group chats.
Wired confirmed the researchers’ findings with a WhatsApp spokesperson. While the company, which is owned by Facebook, acknowledges the issue of server security, the spokesperson pushed back on the idea that attackers could block, cache, or otherwise prevent the alert that new members have been added.
“We’ve looked at this issue carefully,” a WhatsApp spokesperson wrote to Wired. “Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”
The researchers agree that the level of sophistication needed to compromise WhatsApp servers makes this exact attack scenario unlikely, but that’s no excuse for security holes in an otherwise sharp system.
“If I hear there’s end-to-end encryption for both groups and two-party communications,” researcher Paul Rösler told Wired, “that means adding of new members should be protected against.”
In a response to the Wired story posted to Hacker News, Moxie Marlinspike, co-founder of Open Whisper Systems, which developed the end-to-end encryption used in Signal and WhatsApp, refutes the researchers’ claim that an attacker could conceal alerts from other chat members that someone was added to a group. “The attacker will not see any past messages to the group; those were e2e encrypted with keys the attacker doesn’t have,” Marlinspike writes, adding, “All group members will see that the attacker has joined. There is no way to suppress this message.”
“Given the alternatives, I think that’s a pretty reasonable design decision, and I think this headline pretty substantially mischaracterises the situation,” Marlinspike writes. “I think it would be better if the server didn’t have metadata visibility into group membership, but that’s a largely unsolved problem, and it’s unrelated to confidentiality of group messages.”
Marlinspike further takes issue with the researchers describing this design decision as a flaw, characterising their efforts to poke holes in WhatsApp security as a byproduct of the company touting its security benefits.
“To me, this article reads as a better example of the problems with the security industry and the way security research is done today, because I think the lesson to anyone watching is clear: don’t build security into your products, because that makes you a target for researchers, even if you make the right decisions, and regardless of whether their research is practically important or not,” Marlinspike writes. “It’s much more effective to be Telegram: just leave cryptography out of everything, except for your marketing." [Wired]