The WhatsApp security flaw allows anyone with access to WhatsApp’s server to snoop on WhatsApp groups and read all messages without the admin finding out about it.

WhatsApp security flaw highlights end-to-end encryption fail, all...

Have you ever wondered whether your WhatsApp group conversations are being monitored by the government? A security flaw in WhatsApp can give access to group conversations to outsiders without the knowledge of the group administrator. A group of researchers from Ruhr University Bochum in Germany described a series of flaws in instant messaging apps including Signal, WhatsApp and Threema, all three of which claim end-to-end encryption of their messages.

While the flaws of Signal and Threema are mostly harmless, their findings state anyone who has access to WhatsApp servers can easily insert themselves into a group conversation without the admin ever knowing.

Although, considering that the eavesdropper requires access to WhatsApp’s servers makes the flaw a little less dangerous, the implications are alarming. The vulnerability can be leveraged by sophisticated hackers who can break into the instant-messaging app’s servers. Even more, the flaw can easily allow  government elements or WhatsApp staff to compromise private group conversations by legally coercing the company to give them access.

However, that doesn’t ring right with what WhatsApp claimed. The company set a benchmark for mainstream instant messaging app by enabling end-to-end encryption of all chats under the premise that even a compromised server shouldn’t divulge details. Messages sent to an individual or a group can only be read by them, not even the servers themselves.

The researchers state the flaw takes advantage of a simple bug that allows the server to add a new member to the group without interacting with the group admin. The phones of every member of the group then shares the encryption key with the new member providing the eavesdropper with complete access to any future messages.

Although, when a new member is indeed added to the group, it will be visible to every participant and even the admin. But the researchers pointed out some tricks to delay the detection. The person with control of WhatsApp’s server through which he implanted into the group can also use the server to block any message in the group, including the ones that welcome a new member to the group.

The hijacked server can even send different messages to different admins (if there are multiple admins) making it appear that another admin has invited the new member. The spy can also prevent the admin from removing him from the group if discovered.

WhatsApp confirmed the security flaw to Wired but added that its impossible to secretly add a new member to a group. However, to seal the breach of security outlined by the researchers, WhatsApp has to essentially roll back the group invite link feature that allows admins to simply send an invite link to a person who wants to join a group.

The researchers told Wired that they informed WhatsApp about the flaw back in July 2017 and in response, WhatsApp did fix part of the problem by making it difficult to decrypt future messages even after obtaining the encryption key.

Digit NewsDeskDigit NewsDesk

‘).insertAfter(‘.inside-container p:eq(1)’); */
// $( ” ).insertAfter(‘.inside-container p:eq(0)’);
//method to trunkate the text
function shorten(text, maxLength) {
var ret = text;
if (ret.length > maxLength) {
ret = ret.substr(0,maxLength-3) + “…”;
return ret;

//function to put utm on DontMiss links
$(‘div.dontMiss > a’).each(function(){
$(this).prop(‘href’, $(this).prop(‘href’)+’?utm_source=within_article&utm_medium=desktop&utm_campaign=related’);
//trunkate dont miss content
var sub = shorten($(this).html(),47);
$(‘div.dontMiss > a’).each(function(){
$(this).prop(‘href’, $(this).prop(‘href’)+’?utm_source=within_article&utm_medium=mobile&utm_campaign=related’);

//disabled method to append dontmiss links to page content by Mayank
/*$(‘div.dontMiss > a’).each(function(index){
//loop over each list item

// if(index%2 > 0){
// index = index – 1;
// }
if($(‘.inside-container > p:eq(‘+index+’)’).length){
$(‘.inside-container > p:eq(‘+((index * 2) + 1)+’)’).append(‘

Related: ‘ + $(this).html() + ‘‘ );
$(‘.inside-container > p:eq(‘+((index * 2) + 1)+’)’).append(‘

Related: ‘ + $(this).html() + ‘‘ );

/* if(isDesktop()) {
} */

* ga event tracking on page scroll start and end by Mayank

// Debug flag
var debugMode = false;

// Default time delay before checking location
var callBackTime = 100;

// # px before tracking a reader
var readerLocation = 150;

// Set some flags for tracking & execution
var timer = 0;
var scroller = false;
var endContent = false;
var didComplete = false;

// Set some time variables to calculate reading time
var startTime = new Date();
var beginning = startTime.getTime();
var totalTime = 0;

// Get some information about the current page
var pageTitle = document.title;

// Track the aticle load — disabled
if (!debugMode) {
// ga(‘send’, ‘event’, ‘Reading’, ‘ArticleLoaded’, pageTitle, {‘nonInteraction’: 1});
// console.log(“ga(‘send’, ‘event’, ‘Reading’, ‘ArticleLoaded’, pageTitle, {‘nonInteraction’: 1}”);
} else {
alert(‘The page has loaded. Woohoo.’);

// Check the location and track user
function trackLocation() {
bottom = $(window).height() + $(window).scrollTop();
height = $(document).height();

// If user starts to scroll send an event
if (bottom > readerLocation && !scroller) {
currentTime = new Date();
scrollStart = currentTime.getTime();
timeToScroll = Math.round((scrollStart – beginning) / 1000);
if (!debugMode) {
ga(‘send’, ‘event’, ‘Reading’, ‘StartReading’, pageTitle, timeToScroll, {‘metric1’ : timeToScroll});
} else {
alert(‘started reading ‘ + timeToScroll);
scroller = true;

// If user has hit the bottom of the content send an event
if (bottom >= $(‘.inside-container’).scrollTop() + $(‘.inside-container’).innerHeight() && !endContent) {
currentTime = new Date();
contentScrollEnd = currentTime.getTime();
timeToContentEnd = Math.round((contentScrollEnd – scrollStart) / 1000);
if (!debugMode) {
if (timeToContentEnd = height && !didComplete) {
currentTime = new Date();
end = currentTime.getTime();
totalTime = Math.round((end – scrollStart) / 1000);
if (!debugMode) {
ga(‘send’, ‘event’, ‘Reading’, ‘PageBottom’, pageTitle, totalTime, {‘metric3’ : totalTime});
} else {
alert(‘bottom of page ‘+totalTime);
didComplete = true;

// Track the scrolling and track location
$(window).scroll(function() {
if (timer) {

// Use a buffer so we don’t call trackLocation too often.
timer = setTimeout(trackLocation, callBackTime);

‘).insertAfter(“.inside-container p:eq(2)”);


Source link