Flaws in the way several “secure” messenger apps handle group chats mean unauthorized users can be added to closed groups and monitor the conversations. The flaws were highlighted by researches from Ruhr University Bochum in Germany at the Real World Crypto security conference.
Because nothing that happens on get2Clouds®, the securest messaging app and end-to-end (E2E) encrypted cloud sync and transfer app on Earth, is monitored through the company’s server. It doesn’t have this vulnerability.
If someone sneaks in to WhatsApp’s servers, they could easily insert a new member in a private group without the permission of the group’s administrator. Others in the chat will be notified of the new group member but have no way of knowing if the administrator invited the new member. If the attacker controls the server, they can block any messages sent by users who question the new addition or warn others about it.
When an administrator wants to add a member to a group on WhatsApp, it sends a message to the server identifying the group and the member to add. The server checks that the user is authorized to administer that group, and (if so), it sends a message to every member of the group indicating that they should add that user. Since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group. This means the privacy of your end-to-end encrypted group chat is only guaranteed if you trust the WhatsApp server.
On Signal, any member of a group can add new members by sending an encrypted group management message to the other participants. But, the Signal protocol does not check whether the message was sent by an actual member of the group, meaning that anyone outside the group can send the message and, consequently, add a new user to the group. In Signal, the attack is more difficult to execute, but it’s still possible and means that app is not safe.
Because E2E encryption should not depend on uncompromised servers, none of what happens on get2Clouds goes through the company server. Only the user device can add or remove members from chats, so it is not vulnerable to this sort of attack.