Alarming WhatsApp Security Flaw Permits People ‘spy on private chats’

A massive WhatsApp security flaw has been discovered that allows anyone to infiltrate people’s group chats.

Despite the service’s encryption, experts have said that hackers can insert anyone into WhatsApp groups without anyone knowing. The hackers can also insert the person without the permission of the chat’s admin — who usually has to approve people before they are added to the chat.

Despite the flaw being found, Facebook who owns WhatsApp, has said that they won’t be fixing the problem. They are adamant that group chats ‘remain protected’ by the app’s encryption.

Facebook’s Chief Security Officer Alex Stamos wrote on Twitter that the bug is not effective because WhatsApp users are notified when new members join conversations.

The study was presented at the Real World Crypto security conference in Zurich, Switzerland, by a group of researchers from Ruhr University Bochum in Germany. They found that anyone who has control over WhatsApp’s servers can add people to private group chats. These include staff, hackers and governments who legally demand access to WhatsApps conversations.

Researchers suggest that people who want to keep their privacy, stick to one on one chats or use a different encrypted messaging service for group chats.

In response to the study, which was first reported by Wired, Facebook’s Chief Security Officer Alex Stamos wrote on Twitter, ‘Read the Wired article today about WhatsApp – scary headline! But there is no a secret way into WhatsApp groups chats.’

He added that it’s a ‘stealthy’ strategy to spy on people’s conversations.

On WhatsApp, existing members of a group are notified when new people are added. WhatsApp is built so group messages cannot be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent.
— Alex Stamos (@alexstamos) January 10, 2018

WhatsApp has looked at the report carefully – following the researcher’s plan would necessitate a change to the way WhatsApp provides a popular feature called group invite links – which are used millions of times per day.
— Alex Stamos (@alexstamos) January 10, 2018

In sum, the clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping. The content of messages sent in WhatsApp groups remain protected by end-to-end encryption.
— Alex Stamos (@alexstamos) January 10, 2018

‘On WhatsApp, existing members of a group are notified when new people are added,’ he wrote.

‘WhatsApp is built so group messages cannot be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent.’