Here's how WhatsApp group messaging works: membership is maintained by the server. Clients of a group retrieve membership from the server, and clients encrypt all messages they send e2e to all group members.
If someone hacks the WhatsApp server, they can obviously alter the group membership. If they add themselves to the group:
1. The attacker will not see any past messages to the group; those were e2e encrypted with keys the attacker doesn't have.
2. All group members will see that the attacker has joined. There is no way to suppress this message.
Given the alternatives, I think that's a pretty reasonable design decision, and I think this headline pretty substantially mischaracterizes the situation. I think it would be better if the server didn't have metadata visibility into group membership, but that's a largely unsolved problem, and it's unrelated to confidentiality of group messages.
In contrast, Telegram does no encryption at all for group messages, even though it advertises itself as an encrypted messenger, and even though Telegram users think that group chats are somehow secure. An attacker who compromises the Telegram server can, undetected, recover every message that was sent in the past and receive all messages transmitted in the future without anyone receiving any notification at all.
There's no way to publish an academic paper about that, though, because there's no "attack" to describe, because there's no encryption to begin with. Without a paper there will be no talks at conferences, which means there will be no inflammatory headlines like this one.
To me, this article reads as a better example of the problems with the security industry and the way security research is done today, because I think the lesson to anyone watching is clear: don't build security into your products, because that makes you a target for researchers, even if you make the right decisions, and regardless of whether their research is practically important or not. It's much more effective to be Telegram: just leave cryptography out of everything, except for your marketing.
Even if this is true, don't forget that in WhatsApp you don't get the message history when you join a group. Plus, everybody sees that someone joined. That doesn't take the problem away, but it makes the impact much smaller than it sounds.
> They say that anyone who controls WhatsApp's servers could effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation.
Given that WhatsApp isn't open source and so on, controling the WhatsApp server, or controling some part of its code, or controling the signing keys, all can compromise the privacy and encryption.
This study shouldn't cause much surprise.
So the problem is WhatsApp servers can add people to groups? I don't want to be a cynic but aren't groups per se stored on a centralised server? Or the definition of a group at least. So this isn't much of a surprise?
Hah! Meanwhile in Facebook group chats, anyone can add anyone, and they get to see the whole conversation history immediately and completely irrevocably (even if someone removes them later, they get to keep the history until their removal, and you can’t delete Facebook messages either).
Hmm, this is interesting. I would expect that members would at least have some sort of room key (or at least signed assertion) that they would need to send to a new member, to ensure that the server couldn't unilaterally add participants.
This is a big nothing burger, you could practically infer the design from the fact that they supported encrypted group chats at all. Very sensible design IMO.
WhatsApp has some decent decisions even after the complexity of being tied down to a single device at a time.
WhatsApp Web is essentially a hack where any message you send through the web app is _always_ routed through your phone (which is why it needs to be connected all the time).
Earlier you could not even view the media on the web client without first downloading it on your phone. But now it looks like they've hacked it further such that you can view the E2E encrypted message on the web app without downloading it to your phone. I guess it achieves this via shipping the decryption key to the web app (just for the current session) where it allows it to decrypt messages in the browser and using the phone just as a router of sorts. This is just speculation based on apparent behavior though.
Potential solution: all participants will only start sending new messages to new participant/key if his "joined" message was signed by chat administrator (which they can verify). Server cannot fake this sig as it does not have administrator's key.
If you are using WhatsApp, make sure you deactivate your account if you change phone numbers. I recently got a new phone number and when I logged in, I assumed a non-deactivated profile previously attached to my new number.
In case someone is wondering the unique group link is of length 22. Made of A-Z|a-z|0-9 . You can also refresh a link, there isn't any limit on number of refreshes it seems but won't be able to reach 62^22.
I don't get why people even consider using WhatsApp for secure messaging. Everybody knows it's owned by Facebook, and everybody knows how they operate.
how do other apps prevent this? short of everybody in the group manually adding the new participant's key, I don't see why this flaw can't be replicated in other chat apps
interesting post! But only the idea is kind of creepy... Anyways, if someone new enters the group this person is usually not able to see all the previous posts...
The most interesting part of this (to me at least) is that even our 'secure' messaging systems rely entirely on trusted entities. I don't think Signal is immune to this problem either, as you still need to communicate with their servers. As a distributed trust system, WhatsApp and Signal are single points of failure.
Messaging is analogous to money in a lot of ways. Perhaps we'll see a good distributed peer to peer messaging protocol at some point in the future.
I was like, ok sounds like FUD for me, but reading what moxie said, helped me to be sure: FUD for click baiting
Interesting, I remember when Moxie said:
"Pavel Durov wants to frame privacy as a question of trust"
Looks like that's what WhatsApp has now arrived at.
That anybody uses these proprietary "chat apps" for anything baffles me.
"If you build a system where everything comes down to trusting the server, you might as well dispense with all the complexity and forget about end-to-end encryption," says Matthew Green, a cryptography professor at Johns Hopkins University who reviewed the Ruhr University researchers' work. "It's just a total screwup. There's no excuse."
Someone was asking about blockchains. THIS is why you use blockchains. So you don't trust just the server. Actually everything on the Web trusts the server. That's just how the Web was designed.
Now, one way to mitigate this - and also improve security in open source projects - is to implement a blockchain hosted by many organizations which can't all be compromised easily.
At Qbix, we are working on a drop-in data structure that would implement arbitrary business rules in a secure way. The nice thing is you don't need everyone to adopt it, for it to help you secure your network.
For example, some guy starts a group so he has all the access and privileges, and he uses them to invite others and assign privileges. Then he repudiates his own privileges in the group. Now everyone can verify and be SURE that everyone has the same privileges - rules are added for different types of Messages posted on the Stream and are are enforced by the blockchain.
That is how you do governance. It ain't easy but there can be packages made, of different governance types.
PS: However when you have end-to-end encryption, you don't need the blockchain to be hosted on servers. You can have the server relay messages between clients and enforce rules on the clients.
If you don't need consensus, sometimes you don't even need a blockchain! For example, with Reddit, you can just have an append-only Merkle Tree and have clients pass each other comments.
But what if you wanted to expand more comments? Do you have read permission? Do you have write permission?
One way to do it is on a per-thread basis. Each thread is owned by its OP. The rules are enforced by the OP and the messages are published by the OP. So then you trust the OP to be available (online) and accept and broadcast your reply etc.
But if you have MORE THAN ONE user involved in governance of a Stream (our terminology) then you need a blockchain. At the very least, to verify there are no malicious forks of a stream.
If you want to find out more you can look in my profile (about) and email me.
This was a deliberate design decision by WhatsApp. I even remember going to a talk by a WhatsApp engineer when they announced end-to-end encryption and he spent a fair amount of time detailing the method WhatsApp had implemented to allow for adding new users to groups while allowing these new users to read old messages. So I'm pretty sure this has been known from the start. Don't use Facebook products if you care about real security.