A dangerous security bug has been identified in the popular WhatsApp and Signal messenger aps that allows hackers to covertly gain access to encrypted group chats. The experts that discovered the exploit reveals that the problem lies in the intermediate servers and their configuration. The fact that they are among the most widely used mobile apps makes it a serious vulnerability.
WhatsApp and Signal Security Bugs Exposed: Group Chats Are No Longer Secure
Computer criminals have discovered a dangerous flaw in two of the most popular messaging apps — WhatsApp and Signal. The identified security bugs allow the criminals to exploit them and reveal the contents of encrypted group chats. The vulnerability was not found in the app itself but rather the intermediate servers that relayed the network traffic. The researchers state that malware users that can control them can covertly add new members to any private WhatsApp and Signal private chats without having the administrator’s permission which is usually required to do so.
Contrary to other infrastructure solutions the messaging apps give out the conversation controls to the servers which are not governed from within the main node. The classic example of a multi-chat instance (like the popular IRC protocol) work in asynchronous settings. The messages are posted to a central server which then delivers the content even if some of the group members are offline. Two main vulnerability allows a group intrusion to take place. The experts showcase how computer hackers can intrude into group conversations. The attackers can extract all messages from the group and also send out their own messages. The Signal app assigns administrative privileges to all users which is also delegated to the hackers.
WhatsApp and Signal Exploit Methodology
In order to gain access to the groups the criminals need to know the relevant group ID and the phone number of one of their members. Two attack types can be executed. The basic one requires the malicious user to have been a former member of the group. They can record the group ID using a modified client ID and with the extracted information can regain entry. The second type is the forging of credentials which need to be passed on to the intermediate app servers. Not only the hackers can extract, remove and edit the contents, but they can also reorder it. Some of the conclusions note that the WhatsApp Android app employs a key verification component that can partially be e circumvented for usability reasons.
The researchers note that while these examples focus on a limited number of popular applications their methodology and models can be applied to other protocols as well. Examples include: Allo, Wire and Facebook Messenger.