A new vulnerability in WhatsApp has been discovered:
...the researchers unearthed far more significant gaps in WhatsApp's security: They say that anyone who controls WhatsApp's servers could effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation.
Matthew Green has a good description:
If all you want is the TL;DR, here's the headline finding: due to flaws in both Signal and WhatsApp (which I single out because I use them), it's theoretically possible for strangers to add themselves to an encrypted group chat. However, the caveat is that these attacks are extremely difficult to pull off in practice, so nobody needs to panic. But both issues are very avoidable, and tend to undermine the logic of having an end-to-end encryption protocol in the first place.
Here's the research paper.
EDITED TO ADD (2/12): Commentary from Moxie Marlinspike, the developer of the protocol.
Posted on January 25, 2018 at 6:47 AM • 22 Comments