Researchers have discovered flaws in the way WhatsApp, Signal, and Threema messaging apps handle secure (encrypted) group communication, which could result in unauthorized users getting added to closed groups and monitoring future conversations within them.
The problem with WhatsApp
Paul Rösler, Christian Mainka, and Jörg Schwenk analyzed the three widely used protocols and their implementations, and found that if someone – e.g., nation-state backed hackers (illegally), or law enforcement or intelligence agencies (legally) – gains control of WhatsApp’s servers, they could easily insert a new member in a private group without the permission of the group’s administrator(s).
The other participants will get a notification about a new user joining the group, but they have no way of knowing whether the new member was invited by the administrator(s). Also, if the attacker controls the server, he or she can block the messages sent by users who might question the new addition or warn others about it.
As noted cryptographer and Johns Hopkins University professor Matthew Green explained, the vulnerability stems from the fact that the WhatsApp server plays a significant role in group management, and that group management messages are not end-to-end encrypted or signed.
“When an administrator wishes to add a member to a group, it sends a message to the server identifying the group and the member to add. The server then checks that the user is authorized to administer that group, and (if so), it sends a message to every member of the group indicating that they should add that user. The flaw here is obvious: since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group. This means the privacy of your end-to-end encrypted group chat is only guaranteed if you actually trust the WhatsApp server.”
The problem with Signal and Threema
Signal handles group management a bit differently. All group members are deemed administrators, and can thus add a new group member by sending an encrypted group management message to the other participants.
But, as it turns out, the Signal protocol does not check whether the message was sent by an actual member of the group, meaning that anyone outside the group can send the message and, consequently, add a new user to the group.
“The good news is that in Signal the attack is very difficult to execute,” Green noted. “The reason is that in order to add someone to your group, I need to know the group ID. Since the group ID is a random 128-bit number (and is never revealed to non-group-members or even the server) that pretty much blocks the attack. The main exception to this is former group members, who already know the group ID — and can now add themselves back to the group with impunity.”
In Threema, only the creator of a group is the administrator, each group has a unique ID, and all group messages contain this ID. But attackers that can control of a Threema server can replay messages or add a previously removed user back into a group, the researchers found.
The main problem is this: end-to-end encryption, which all of these messaging apps purport to offer, should not depend on uncompromised servers.
“We haven’t entirely achieved this yet, thanks to things like key servers. But we are making progress. This bug is a step back, and it’s one a sophisticated attacker potentially could exploit,” Green noted.
The researchers have disclosed their findings to the three companies developing the messengers last summer, and Threema has already pushed out a fix.
Open Whisper Systems, the creators of Signal, told Wired that they are currently redesigning how Signal handles group messaging, but did not share any more than that.
WhatsApp said that the “group invitation bug” is a theoretical danger that’s additionally minimized by the fact that users will receive a notification about a new user joining the group. Also, the spokesperson noted, administrators could warn users about the new, unauthorized addition via private messages.
That seems to be enough for them at the moment, especially because a fix for the flaw could end up breaking the convenient “group invite link” feature.