Buzz
Previously, we delved into a critical issue on WhatsApp, specifically the failure to completely delete WhatsApp messages from mobile devices. The incomplete deletion of WhatsApp messages introduces vulnerabilities that facilitate attackers in monitoring group conversations.
The primary purpose of the end-to-end encryption protocol is to eliminate reliance on intermediary servers, even companies or data transmission servers that could decrypt your messages or exploit centralized positions to manipulate services.
- Download WhatsApp for Android
- Download WhatsApp for iPhone
However, until now, end-to-end encrypted messaging services like WhatsApp, Threema, and Signal have not fully achieved a zero-knowledge system.
Researchers from Ruhr-Universität Bochum (RUB) in Germany have revealed that anyone controlling WhatsApp/Signal servers can covertly add new members to private groups, enabling them to monitor those group conversations even without Admin permission.
According to the researchers, in peer-to-peer communication (only when two users communicate), the server plays a limited role. However, in group chats where messages are encrypted and broadcasted to multiple users, the server's role is elevated to manage the entire process.
Issues arise when company servers are entrusted to manage group members (those with ultimate access rights to group conversations) and their actions.
In an article explaining the encryption issues in Signal, WhatsApp, and Threema group chats, it is revealed that both Signal and WhatsApp fail to properly authenticate who is adding new members to the group—could be someone unauthorized, not necessarily the group admin or a group member adding someone new to the conversation.
According to the researchers, malicious actors with access to servers can perform unauthorized actions or block group management messages that should inform users of new members.
“The described vulnerabilities allow attacker A, who controls the WhatsApp server or can break the transport layer, to take full control of the group. However, group access activities are logged in the user interface. The WhatsApp server can surreptitiously rearrange and suppress notifications within the group,” as mentioned in the article.
“It can store messages in the group's cache memory, read their content beforehand, and decide what to distribute to each member. Additionally, the WhatsApp server can forward these messages to each member to erase traces”.
WhatsApp has also acknowledged this issue and explained that if any new member is added to a group, other members will be notified.
“User privacy and security are of utmost importance to WhatsApp. That's why we collect very minimal information, and all messages sent on WhatsApp are fully encrypted.”
Researchers also advise companies to address the issue by adding an authentication mechanism to ensure that group management notifications are 'signed' only by the Group Admin.
However, executing this attack is highly challenging, so users need to be concerned about this issue.
https://Mytour.vn/lo-hong-whatsapp-cho-phep-tan-cong-tro-chuyen-nhom-22257n.aspx
Therefore, users should choose security measures for their applications, such as enabling two-step verification on WhatsApp as discussed by Mytour.vn in the guide on enabling WhatsApp two-step verification to help secure and control access to the app.
