WhatsApp is Testing for 'Demote as Admin' Feature in Group Chats

WhatsApp is Testing for 'Demote as Admin' Feature in Group Chats

At the Real World Crypto security conference Wednesday in Zurich, Switzerland, a group of researchers from the Ruhr University Bochum in Germany plan to describe a series of flaws in encrypted messaging apps including WhatsApp, Signal, and Threema. They added that "WhatsApp doesn't use any authentication mechanism" when a new member is added to the group and this is something its own servers can spoof as well.

Speaking to Wired, one of the researchers said: "The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them". The server authenticates the administrator, confirms that they have the proper authority to add/remove members from that group, and then sends a signal to all of the members which notifies them that a new member has been added to their mutual group.

Once the eavesdropper is in the group, he/she would have access to all future messages sent on the group as WhatsApp would generate secret keys for each member in the group and share it with the newcomer. WhatsApp is a widely used messenger and is available in more than 60 different languages which include 10 Indian languages.

Staff and governments can legally demand access to the servers and top level hackers can control WhatsApps servers. However, users still get a notification of a new member joining.

More news: Legal rights NGO: Israel's BDS blacklist 'reminiscent of Apartheid South Africa'

Security researcher Moxie Marlinspike in a forum post explained how WhatsApp group messaging works. Thus, servers can not detect if the admin added new members or someone unknown joined the private conversation.

"We've looked at this issue carefully", a WhatsApp spokesperson said. WhatsApp has added end-to-end encryption across the app and made all conversations on the group private, which means it can not be read by any third-party, be it government, criminals or even WhatsApp itself.

Reacting to the report, Facebook Chief Security Officer Alex Stamos tweeted: "Read the Wired article about WhatsApp - scary headline!" But there is no [sic] a secret way into WhatsApp groups chats'. WhatsApp is also testing a new "Quick Switch" feature to let users shift from voice call to video. "And if not, the value of encryption is very little", further added Paul Rosler.

"The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group", the paper states. Also, if the attacker controls the server, he or she can block the messages sent by users who might question the new addition or warn others about it.