The flow of adding new members to a WhatsApp group message is:A group member sends an unsigned message to the WhatsApp server that designates which users are group members, for instance, Alice, Bob, and CharlieThe server informs all existing group members that Alice, Bob, and Charlie have been addedThe existing members have the option of deciding whether to accept messages from Alice, Bob, and Charlie, and whether messages exchanged with them should be encryptedWith no cryptographic signatures verifying an existing member wants to add a new member, additions can be made by anyone with the ability to control the server or messages that flow into it.
Using the common fictional scenario for illustrating end-to-end encryption, this lack of cryptographic assurance leaves open the possibility that Malory can join a group and gain access to the human-readable messages exchanged there.WhatsApp isnt the only messenger lacking cryptographic assurances for new group members.
In 2022, a team that included some of the same researchers that analyzed WhatsApp found that Matrixan open source and proprietary platform for chat and collaboration clients and serversalso provided no cryptographic means for ensuring only authorized members join a group.
The Telegram messenger, meanwhile, offers no end-to-end encryption for group messages, making the app among the weakest for ensuring the confidentiality of group messages.In contrast, the open source Signal messenger provides a cryptographic assurance that only an existing group member designated as the group admin can add new members.
In an email, researcher Benjamin Dowling, also of Kings College, explained:Signal implements cryptographic group management.
Roughly this means that the administrator of a group, a user, signs a message along the lines of Alice, Bob and Charley are in this group to everyone else.
Then, everybody else in the group makes their decision on who to encrypt to and who to accept messages from based on these cryptographically signed messages, [meaning] who to accept as a group member.
The system used by Signal is a bit different [than WhatsApp], since [Signal] makes additional efforts to avoid revealing the group membership to the server, but the core principles remain the same.On a high-level, in Signal, groups are associated with group membership lists that are stored on the Signal server.
An administrator of the group generates a GroupMasterKey that is used to make changes to this group membership list.
In particular, the GroupMasterKey is sent to other group members via Signal, and so is unknown to the server.
Thus, whenever an administrator wants to make a change to the group (for instance, invite another user), they need to create an updated membership list (authenticated with the GroupMasterKey) telling other users of the group who to add.
Existing users are notified of the change and update their group list, and perform the appropriate cryptographic operations with the new member so the existing member can begin sending messages to the new members as part of the group.Most messaging apps, including Signal, dont certify the identity of their users.
That means theres no way Signal can verify that the person using an account named Alice does, in fact, belong to Alice.
Its fully possible that Malory could create an account and name it Alice.
(As an aside, and in sharp contrast to Signal, the account members that belong to a given WhatsApp group are visible to insiders, hackers, and to anyone with a valid subpoena.)