![]() Signal handles group management a bit differently. This means the privacy of your end-to-end encrypted group chat is only guaranteed if you actually trust the WhatsApp server.” The problem with Signal and Threema The flaw here is obvious: since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group. The server then checks that the user is authorized to administer that group, and (if so), it sends a message to every member of the group indicating that they should add that user. “When an administrator wishes to add a member to a group, it sends a message to the server identifying the group and the member to add. Also, if the attacker controls the server, he or she can block the messages sent by users who might question the new addition or warn others about it.Īs noted cryptographer and Johns Hopkins University professor Matthew Green explained, the vulnerability stems from the fact that the WhatsApp server plays a significant role in group management, and that group management messages are not end-to-end encrypted or signed. The other participants will get a notification about a new user joining the group, but they have no way of knowing whether the new member was invited by the administrator(s). ![]() Paul Rösler, Christian Mainka, and Jörg Schwenk analyzed the three widely used protocols and their implementations, and found that if someone – e.g., nation-state backed hackers (illegally), or law enforcement or intelligence agencies (legally) – gains control of WhatsApp’s servers, they could easily insert a new member in a private group without the permission of the group’s administrator(s). Researchers have discovered flaws in the way WhatsApp, Signal, and Threema messaging apps handle secure (encrypted) group communication, which could result in unauthorized users getting added to closed groups and monitoring future conversations within them. ![]()
0 Comments
Leave a Reply. |