A study reveals vulnerability relating to the encryption of WhatsApp groups

A recent formal analysis of WhatsApp security protocols (you can download the complete PDF at this address) has revealed a potential vulnerability that could worry more than some user. A team of researchers found that, despite the end-to-end encryption So much advertised by Meta, the app presents a significant vulnerability in the management of group messages. Let’s see in detail the results of the analysis and the practical implications.

Whatsapp servers can add “ghost” members to groups: here’s what you need to know

The study, conducted by a team of researchers led by Martin R. Albrecht of the King’s College in London, has analyzed in detail the functioning of the messaging app that boasts billions of users all over the world. After examining and formally described the cryptographic protocols used, the researchers have substantially given Whatsapp a positive evaluation, confirming that the app works safely and consistently with what was officially declared.

Despite this, a significant criticality emerged that cannot be neglected: Whatsapp does not have any encryption mechanism for group management. In practice, this means that WhatsApp servers could potentially add new members to a group without a cryptographic verification from the administrators. An official client will show the notification of the addition, but has no way to technically prevent this that this happens. We know well, in fact, that the app shows a notification when someone is added, but the problem is that there is no technical protection that prevents this action.

The Process of addition of new members To a WhatsApp group it works in this way:

1. A member of the group sends an unrelated message to the server encrypted which users of the group are designated;
2. The server informs all the existing members of the addition;
3. Existing members have the option to decide whether to accept messages from the new members and whether to encrypt the messages exchanged with them.

The lack of cryptographic signatures in this process creates a potential security flaw, which could be exploited by those who have access to servers or by any hackers.

The risk of being targeted is practically zero for the average user. The speech changes drastically, however, if you use the app for sensitive or confidential communications, especially in the professional field.

The other messaging apps do not pass it much better

It is interesting to note how Other messaging apps present similar problems. Matrix, a platform for the collaboration and messaging decidedly not very popular, at least here in Italy, suffers from the same vulnerability, while Telegram is even worse, as it does not offer any end-to-end encryption for group messages. The only positive exception is represented by Signal, which implements a true cryptographic management of the groups, ensuring that only authorized administrators can add new members through a system of cryptographic keys shared only among the participants.

The question is not purely theoretical. Recently a journalist was accidentally added to a chat of high officials of the White House who discussed sensitive military operations. In that case it was a human error, but imagine what could happen if a striker With access to WhatsApp systems he decided to insert unauthorized members in groups that discuss or contain sensitive data within them.

WhatsApp, for his part, replied to the study stressing that, as we have previously illustrated, the app always notifies when new members join a group and that users can activate security notices for any changes to the cryptographic codes, in addition to having declared to be committed to continuously adding new protection levels (even if they have not been specified as in detail).

Below you will find the official statements of the company:

We examined the researchers’ report and appreciate their work. We designed WhatsApp to offer simple, reliable and private messaging on a large scale to billions of people. For all groups, you receive a notification when someone new joins, and you can also enable security notifications that evidently warn you of any changes to the safety codes you are chatting with. We continue to add new levels of protection and we will continue to do so.

If you are part of that slice of users who, legitimately, is particularly attentive to one’s privacy or you are used to managing sensitive communications, our advice is to pay more attention to additional notifications in WhatsApp groups and, in the most critical cases, to evaluate the use of alternative applications, which offer superior security guarantees precisely in the management of groups.