German cryptographers discovered the existence of a security hole in the WhatsApp application. In theory, anyone with access to the servers in the service could force the addition of new members into group discussions. The firm does not intend to fix it.
Is encryption on WhatsApp infallible? The answer is no, according to the recent discovery made by German cryptographers. The application, which exceeded one billion users in July 2017, would be the victim of a flaw that would allow clear read conversations despite encryption end-to-end messages.
Their announcement took place at Real World Crypto 2018, a conference held on January 10 in Zurich, Switzerland, bringing together cryptography specialists and developers.
Authorization of the administrator not required
Researchers at Ruhr University in Germany explained that a third party who manages to control the application's servers would be able to force the addition of new members into private group conversations. And this without the need for prior authorization from the administrator of the conversation. However, this raised a concern about the confidentiality of the messages.
The principle of end-to-end encryption is to make messages unreadable to anyone to whom they are not destined. Including the operator or service provider. Thus, WhatsApp servers that are responsible for transmitting the message from the sender to the recipient are not able to decrypt it, since they are not in possession of the key.
CC Santeri Viinamäki "The value of this encryption is low"
"Group privacy is broken when the uninvited member can access and read all new messages. If I'm aware that there is end-to-end encryption for both groups and two-way conversations, it means that adding new members should be secure. If this is not the case, the value of this encryption is very low, "said Paul Rösler, one of the specialists at the origin of the discovery.
It would seem that WhatsApp is facing a serious security risk, although difficult to exploit since it requires in prerequisite control of the servers of the firm, a subsidiary of Facebook. Nevertheless, Alex Stamos, the head of security of the US social network, does not seem alarmed: he said on Twitter that the company does not intend to remedy the defect identified by researchers.
In sum, the clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping. The content of messages in WhatsApp groups remain protected by end-to-end encryption.
– Alex Stamos (@alexstamos) January 10, 2018
"WhatsApp has been interested in the study," he says, adding that "clear notifications and multiple ways to check who's in your group prevent silent listening. The content of messages sent in WhatsApp groups remains protected by end-to-end encryption. WhatsApp believes that members of the private discussion would be kept informed of the presence of an intruder.
A year ago, the rumor that the WhatsApp app contained a backdoor had already made a splash. Experts in cryptography finally agreed that the alleged backdoor was not in fact one.