As per the research, Signal and WhatsApp fail to properly authenticate that who is adding a new member to the group and it is possible for an unauthorized person, who is not even a member of the group, to add someone to the group chat. WhatsApp, however, has turned down the claim.
The researchers detailed the findings at the Real World Crypto security conference in Zurich on Wednesday, according to Wired.
Researchers at the Ruhr-Universität Bochum (RUB) in Germany found that anyone who controls WhatsApp or Signal servers can covertly add new members to any private group, allowing them to snoop on group conversations, all without the permission of the group administrator.
"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them", Paul Rösler, one of the researchers told Wired. However, doing so leaves traces as this operation is listed in the graphical user interface and the WhatsApp server can thus use the fact that it can stealthily reorder and drop messages in the group. But the researchers have found that anyone having control of the server can break the authentication process that grants them the privilege that is needed to add new members to the private groups. According to the paper, investigation into "end-to-end protected group communications" has gained only little attention.
"The phone of every participant in the group then automatically shares secret keys with that new member, giving him or her full access to any future messages", the report added.
With over 1.2 billion monthly active users, WhatsApp is available in more than 50 different languages around the world and in 10 Indian languages. While the company, which is owned by Facebook, acknowledges the issue of server security, the spokesperson pushed back on the idea that attackers could block, cache or otherwise prevent the alert that new members have been added. The researchers say there are many risks in group chats where the hacker has control of the server, because they can then manipulate who gets what messages, delete messages and more.More news: Senator releases text of interview with Fusion GPS official
More news: Winter Weather Causes Severe Drop in Blood Donations During Critical Shortage
More news: Magnitude 7.6 quake hits north of Honduras, triggers tsunami warning
On the surface level, WhatsApp, which is owned by Facebook, looks to have a pretty big security flaw.
So the server can simply add a new member to a group with no interaction on the part of the administrator. We built WhatsApp so group messages can not be sent to a hidden user. "We built WhatsApp so group messages can not be sent to a hidden user".
That said, WhatsApp does continue to face pressure from governments over its use of end-to-end encryption.
According to WABetaInfo, a fan site that tests new WhatsApp features early, the popular mobile messaging platform has submitted the "Restricted Groups" setting via Google Play Beta Programme in the version 2.17.430.
While gaining access to WhatsApp servers are limited to the abilities of advanced hackers, the question is what happens when they gain access?