Documenting a potential WhatsApp flaw

So in 2016, WhatsApp and Open Whisper Systems announced that WhatsApp would be using the Signal protocol to protect all chats, group chats, attachments, and so on and so forth. While there were some initial concerns about the implementation, I think it was largely welcomed as a positive move, improving the security and privacy of over a billion active users.

However, recently, I’ve been joining a bunch of groups for various reasons and I saw something interesting. A person in the group sent a reply to a message that was sent before I joined the group. Now, theoretically, there should be no way for me to see the original message, but I was still able to see a thumbnail (it was an image), and who sent the message. So, clearly, WhatsApp is attaching the original message of a reply to the reply itself, without checking who was originally authorized to see the message.

Now, bear in mind that I may be way off the mark here, I’m no expert by any means. Whatever I have picked up has been crumbs and there may be a very simple explanation for this whole thing.

WhatsApp Image

WhatsApp Image

So, as we can see in the above screenshots, I joined a group and I’m able to see the thumbnail of an image sent before I joined the group as part of a reply. And while that’s a pretty bad thing, it’s still somewhat okay right? Clicking on the image takes me nowhere, and there’s no way for me to get an substantial detail from that highly compressed image in real world cases surely?

That’s where WhatsApp Web becomes a problem. WhatsApp Web is their solution for you to access your WhatsApp messages and conversations on your system. It isn’t a standalone system - it access your messages via your phone. The phone is an intermediary for your messages and you need to authorize a session on your phone.

WhatsApp Web comes with some slightly better UI options, making use of the bigger screen. For example, you can click on an image in a reply to see a preview of it. Even if the image was sent before you joined the group. And now we see that the full image seems to be attached to the reply.

WhatsApp Image

WhatsApp Image

What does this mean? This is technically a case where an encrypted message is visible to a user the message wasn’t intended for. Again, I may be missing a very simple explanation, and I’d love to know it. But if my hunch is right, there may potentially be a small flaw in WhatsApp’s group chat system.

Update

I quickly tried out Signal itself with a couple of friends, and the same issue seems to be present there. Replies are a new feature in the Signal app and it could be a similar implementation to WhatsApp’s.

Signal Image

Do note that I wasn’t able to test images in Signal.

Danke Shashank, and Kishan!

Aditya Saky
May 21, 2018