While WhatsApp boasts great end-to-end encryption of messages which is great for those who crave privacy – but a source of chagrin for many in the law enforcement community – it seems the messaging service is susceptible to attacks on user privacy. A research paper released at a security event this week describes how group chats can be leveraged by snoops.
The full research paper, released this week at the Real World Crypto security conference held in Zurich, someone accessing WhatsApp’s servers could add someone to a private group chat and read messages or even re-order, remove or add messages to the chat.
The good news is the attack method the researchers proposed is difficult to execute. As Wired puts it this type of attack is probably limited to “sophisticated hackers who could compromise those servers, WhatsApp staffers, or governments who legally coerce WhatsApp to give them access”.
There’s no doubt that encryption is a critical tool for protecting our data. But many attacks on encrypted systems don’t break the encryption – they bypass it as the processes around the encrypted data are usually far weaker than even bad encryption.
I’m not too worried about this protential attack vector but there is a valuable lesson for all of us. Encryption is just part of a robust security strategy. Access control and monitoring are equally important.