Rogue Server and Group Admins to Break End-to-end Encryption and Spy on Group Chats

Researchers from Ruhr-Universität Bochum (RUB) in Germany discovered that anyone who controls Whatsapp/Signal users can secretly add new members to any private group, thus giving them access to spy on group conversations without the permission of the administrator.

According to the researchers, in a private conversation between two users, server plays a limited role, but in case of multi-user chats (group chat where encrypted messages are broadcasted to many users), the role of servers increases to manage the entire process.

Besides this, an infiltrator can manipulate the server to selectively block any messages in the group, including those that ask questions, or provide warnings about the new entrant. Hence, no one will get notified when the person gets added to the group.

Ankush Johar, director at Infosec Ventures, said: "These days, every conversation happen on group chats whether its a party plans with your friends or a national level privacy scam(Like the one trading in Aadhaar). Two years back, Whatsapp added end-to-end encryption feature to make sure that no intermediate organisation/individual can decrypt the messages or modify the data. Despite having this feature, WhatsApp is still not 100 percent secure for users and as result can lead to serious data breach.

"What's, even more, scarier is that the infiltrator can modify the notification messages about a newly added member, thereby leaving no trace behind. As of now what a user can do is to keep a check on the number of member in the group, however, this would be difficult for a group having a large number of participants.

"Although this attack is not very easy to execute but under controversial pressure by surveillance bodies and attacks by state-sponsored hackers, this could be or even have been so far the jack being used to break into end-to-end encrypted communication."

Also Read

Stay in the know with our newsletter