The world has been abuzz for weeks now about the inclusion of a journalist in a group message of senior White House officials discussing plans for a military strike. In that case, the breach was the result of then-National Security Advisor Mike Waltz accidentally adding The Atlantic Editor-in-Chief Jeffrey Goldberg to the group chat and no one else in the chat noticing. But what if someone controlling or hacking a messenger platform could do the same thing?
When it comes to WhatsApp—the Meta-owned messenger that’s frequently touted for offering end-to-end encryption—it turns out you can.
A clean bill of health except for…
A team of researchers confirmed that behavior in a recently released formal analysis of WhatsApp group messaging. They reverse-engineered the app, described the formal cryptographic protocols, and provided theorems establishing the security guarantees that WhatsApp provides. Overall, they gave the messenger a clean bill of health, finding that it works securely and as described by WhatsApp.
They did, however, confirm a behavior that should give some group messaging users pause: Like other messengers billed as secure—with the notable exception of Signal—WhatsApp doesn’t provide any sort of cryptographic means for group management.
“This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King’s College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.”
The chance of someone exploiting this weakness to access a WhatsApp group for soccer parents is likely nil. A nation-state operative, on the other hand, trying to crash a group of government officials discussing sensitive national security issues is well within the realm of possibility. In such a case, a WhatsApp admin with sufficient system privileges could add as many users to an existing group as desired. So could an attacker who managed to hack the WhatsApp infrastructure. With many groups numbering in the dozens or even hundreds of members, the notification might not be easy to notice.
