
Attack of the Week: Group Messaging in WhatsApp and Signal - dankohn1
https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/
======
aplorbust
"This means the privacy of your end-to-end encrypted group chat is only
guaranteed if you actually trust the WhatsApp server."

"This undermines the entire purpose of end-to-end encryption."

"And yet, the entire point of end-to-end encryption is to remove the server
from the trusted computing base."

"The challenge here is that since WhatsApp itself determines who the
administrators are, this isn't quite so simple."

Not only does this system require trusting a third party, that party is none
other than Facebook. Its business is built on learning about the lives of
users and selling ads, not serving as a naive broker of "secure messages".

~~~
yuliyp
Hyperbolic much?

This is a weakness that not only requires WhatsApp to be malicious but to not
care about the trivial visibility of an exploit (the client would still
display the extra person being added to the group chat).

~~~
rickycook
not malicious per se, just with non obvious ulterior motives

~~~
whyever
They have a feature where you can invite people to the group with a link that
requires the server being able to add people. Isn't that a fairly obvious
motive?

------
ktpsns
"Do we trust the WhatsApp server?" \-- could be also formulated as: "Do we
trust the WhatsApp client?". It is obviously made by the same people. Both are
closed source and the protocol is reverse engineered. What's the point if they
made an auditing but do not communicate the results? It's probably not too
surprising if reverse engineering points out vulnerabilities. It's a fenced
ecosystem which claims to establish a secure communication but does not.

~~~
george3383
Having an open source client and server would help how? How would you know the
server is running that software? Or that the binaries distributed via the App
Store don't have some special spice?

And as far as I know the whatsapp protocol is simply tokenised XMPP.

~~~
Karliss
If you have proper end to end encryption protocol and client which correctly
implements the protocol without additional backdoors then it doesn't matter
what the server runs. If the client is open source you can verify and build it
yourself or download the binary from source that you trust.

------
baby
I wrote a brain dump about my thoughts on that here:
[https://www.cryptologie.net/article/437/on-real-world-
crypto...](https://www.cryptologie.net/article/437/on-real-world-crypto-and-
secure-messaging/)

tl;dr is "I'd say the problem is in the reaction, not in the published
analysis."

~~~
george3383
The problem once again are the journalists making up stuff for clicks. Remove
the journalists from the equation and you will see there's no problem.

~~~
forapurpose
The article is by a cryptographer at Johns Hopkins, not a journalist.

------
Arnt
This is the kind of security problem Signal has nowadays? Kudos to moxie.

------
tinus_hn
The attack is real but I’m not impressed by the way they paper over the
notifications you’d get that they consider ‘easy to miss’. The messages you
get when someone gets a new phone/key are even easier to miss and they’re off
by default.

The point is that the server doesn’t know if they’re off and if you’re paying
attention so if it’s cheating it runs the chance of being detected.

------
woliveirajr
There was some discussion here:
[https://news.ycombinator.com/item?id=16114809](https://news.ycombinator.com/item?id=16114809)

------
AdmiralAsshat
Seems like this could be fixed fairly easily with a set of gatekeeper options.
When a group gets created, you could have the option of making the group
Public (anyone can join), Invite-Only (anyone can join with an invitation from
someone already in the group), or Vetted (requires an invitation to join _and_
the person who made the group must approve each person who tries to join).

That way, you account for varying levels of paranoia.

------
sitkack
I have been subject of a probing attack on Signal. The attacker put a
collection of messages into a group chat and see which ones made it in.
Randomly, I am in a group Signal chat with 8-9 other people in my area code.

------
jgunsch
Does anyone know what the disclosure story is here?

Have WhatsApp and Signal had a chance to respond?

~~~
v1nc
As said here: [https://www.wired.com/story/whatsapp-security-flaws-
encrypti...](https://www.wired.com/story/whatsapp-security-flaws-encryption-
group-chats/)

"The researchers say that Open Whisper Systems, the non-profit that runs and
maintains Signal, nonetheless responded to their work, saying that it's
currently redesigning how Signal handles group messaging. Open Whisper Systems
declined to comment on the record to WIRED about the Ruhr researchers'
findings."

"In a phone call with WIRED, a WhatsApp spokesperson confirmed the
researchers' findings. [...]And the WhatsApp spokesperson also noted that
preventing the Ruhr University researchers' attack would likely break a
popular WhatsApp feature that allows anyone to join a group simply by clicking
on a URL." So I don't think WhatsApp will fix it.

~~~
dx034
And to be honest, it could be better for security not fixing it. This way
people will stay with whatsapp and most chats remain e2e encrypted and safe.
If Whatsapp breaks these features, people could switch to other messengers
without e2e encryption (e.g. Facebook messenger) for group chats.

And for those concerned about the issue, you can monitor the member list and
make sure you carefully check all messages. If you're really concerned about
encryption that's what you should do anyway.

------
sleepybrett
It seems like all signal has to do is to take the step of validating that the
member sending the "group management" message is already in the group first.

------
sigenc
interesting read:

[https://eprint.iacr.org/2017/666.pdf](https://eprint.iacr.org/2017/666.pdf)

[https://github.com/facebookresearch/asynchronousratchetingtr...](https://github.com/facebookresearch/asynchronousratchetingtree)

------
problems
So they didn't bother to check if the add to group message was from someone in
the group?

I mean no offense to the developers, but this seems like a fairly basic
oversight and quite concerning that respected and popular products didn't get
this level of review until now.

No crazy cryptographic mess involving improper ordering of authentication or
weird random number generation, this is a simple logic bug. One that I'm sure
many of us would have considered if we were implementing it, things like this
do get missed too of course, but enough eyes on the design could have caught
this.

~~~
arkadiyt
> One that I'm sure many of us would have considered if we were implementing
> it, things like this do get missed too of course, but enough eyes on the
> design could have caught this.

It wasn't a design flaw, it was an insecure-direct-object-reference
implementation flaw. IDORs are extremely common, but since the group id is an
unguessable 128 bits, the bug can only be used by someone who was already in
the group previously to rejoin the group. I'm sure it'll get patched shortly,
if it hasn't been already.

For the WhatsApp case, a malicious WhatsApp server could add someone to your
group, but everyone in the group would see it.

These bugs are not big deals. The real harm comes from regular people reading
articles like the Wired one or the famously wrong Guardian one and switching
to much worse alternatives, like SMS or Telegram.

~~~
WildGreenLeave
> The real harm comes from regular people reading articles like the Wired one
> or the famously wrong Guardian one and switching to much worse alternatives,
> like SMS or Telegram.

I can understand why you give SMS as an example, because it is just plaintext.
But why Telegram? As far as I know Telegram is probably better secured over a
service like Whatsapp.

Edit: the latter is an assumption from me, I do not have any claims to back
this up. Thats why I'm asking.

~~~
arkadiyt
Telegram group messages are not end-to-end encrypted at all, the Telegram
service has access to all message content.

Wish you weren't getting downvoted for asking this - asking is how people
learn.

