Which WhatsApp group has 100 members

Researchers at the Ruhr University Bochum have discovered a possible vulnerability in the Whatsapp messenger. According to their analysis, a digital attacker can smuggle new members into a group chat without the group administrator having invited these members. Such a smuggled participant can read all future group messages and spy on the group. This bypasses the encryption that protects all WhatsApp chats. The case shows that Whatsapp's much-praised encryption does not work as fully as is often believed.

In April 2016, Whatsapp introduced end-to-end encryption, thereby significantly increasing security for users. Thanks to this technology, messages can only be read by the sender and recipient; external attackers cannot see the content. Even Whatsapp employees actually have no access to the message content.

Usually only the administrator can add new members to a group. However, Whatsapp does not check whether it was really the administrator who invited someone to a group. So anyone who controls the app's server can add new participants, the scientists have found. But network and security researcher Jörg Schwenk, who found the vulnerability with his colleagues Paul Rösler and Christian Mainka, warns against scare tactics: "Group chats are basically safe."

A secret service could exploit the vulnerability

It is very time-consuming for attackers to exploit this vulnerability. Because in order to be able to access the Whatsapp servers, he would either have to work at Whatsapp himself, belong to a government that can legally access such servers - or be a pretty good hacker. An attack is therefore only possible for technically extremely well-versed professionals.

"The hurdles are very high," says Schwenk. "A secret service like the American NSA could take advantage of this and force WhatsApp to grant them access to the servers. This is problematic because the end-to-end encryption should actually prevent governments from reading messages, even if they are using the app -Server control. "

Another limitation is that the vulnerability only affects group calls. Normal one-to-one chats are further protected by the encryption. They cannot be viewed even if an attacker takes over the Whatsapp server. A newcomer who has been smuggled in cannot read messages that have already been sent in a group, so the trick does not work retrospectively.

In addition, all group members receive a message that a new member has been added. The administrator in particular will then be wondering who the new guy is in the chat and how he got there. "The attacker could block certain messages in the group chat, such as warnings about the new member," says Schwenk. "However, he cannot hide the notification that a new participant has been added."

Whatsapp does not see any great danger

The researchers informed WhatsApp about the vulnerability back in July. The company does not deny it, but does not see any great danger: "Existing members will be notified when new participants are added to a Whatsapp group," writes the company in an email to the technology portal Wired.

Alex Stamos also puts the weak point into perspective. He's responsible for security at Whatsapp's parent company Facebook. "There is no secret way to join Whatsapp groups," he writes on Twitter. It also points out that all participants will receive a message when a new user joins the group chat. To fix the vulnerability, Whatsapp would have to change a popular function, writes Stamos: Group administrators can share a link to the group. Anyone who clicks on it will be automatically added to the group. "There could be a way to better protect this feature, but how it is not yet clear," Stamos said on Twitter.

The researchers also looked at the Signal and Threema messengers. Signal, which is based on the same encryption as WhatsApp, has similar problems, but the attacker would have to know the group's unique identification number, another hurdle. This is only possible if he can also access a group member's cell phone. There was another vulnerability at Threema that has already been fixed.