WhatsApp is easily the application I use the most on a daily basis on my smartphones. I use it for work, I use it to reconnect, and I use it to send silly memes to silly people all the time.
Odds are, WhatsApp’s probably super important to you too. But when something’s very important, there will be people who will want to exploit it for malicious purposes — especially considering the amount of information that gets shared via WhatsApp. And the bad news is that these bad people may have a way in if you’re not careful.
It’s easy to lull yourself into a false sense of security when using WhatsApp, especially after the company rolled out end-to-end encryption in all forms of communication across their entire platform. However, a group of researchers found a flaw in WhatsApp that could potentially be a gate into your secure conversations: Group chats.
Yup. According to the researchers, anyone who has control over WhatsApp’s servers could insert new members into private group chats without the permission of the group’s administrator. TechCrunch reports that the flaw takes advantage of “a bug in how WhatsApp handles group chats”. Because only the administrator of a group can invite new people in, WhatsApp doesn’t use any authentication mechanism for invitations that “its own servers cannot spoof”.
This means that once an attacker gains access to WhatsApp’s servers, they can insert themselves into groups, gaining access to any future messages in the group. That said, they won’t be able to read messages sent prior to them joining the group.
Tech Crunch also reports that attackers with access to WhatsApp’s servers could selectively block any messages in the group, preventing participants from warning the others of the intruder.
While this could potentially be a not insignificant vulnerability, the attackers would first have to hack into WhatsApp’s servers, which is no easy task. Cybersecurity company Kaspersky Lab’s security researcher Victor Chebyshev said that hacking Whatsapp’s servers is “not easy from a technical perspective” and that it “takes a lot of time and effort”. Victor says that it’s far easier for attackers to hack and gain control of a group chat member’s mobile device than it is to hack the servers.
Nevertheless, you should be careful with the information you share in WhatsApp group chats. One way would be to pay close attention to the members of your group and verify their security code for extra security. Administrators should also monitor and manually control the addition of new members.
If you absolutely must share sensitive information like passwords or pictures of your junk (why are you doing this in a group chat, btw), do so via private messaging instead.
