04 Apr 2018
Warning: User data can be scraped from public WhatsApp groups
The feature is flawed by design and allows data to be harvested by anyone in the group.
This demonstrates the ease with which marketers, hackers, and governments can exploit user privacy on WhatsApp, without breaking any policies and free of cost.
Public WhatsApp groups can be found on the web
WhatsApp groups can be joined by a maximum of 256 people by adding particular contacts or circulating an invite link.
Researchers pointed out that public WhatsApp groups can be found on the web and anyone can join them through the invite link.
While group members are notified about new joinees, the latter is not obligated to identify themselves in any way.
Hackers can access data like phone numbers, images, videos
In a draft paper, researchers detailed how they joined 178 public WhatsApp groups and gained access to their data which WhatsApp stores in the sqlite database of the local device.
The researchers started receiving large streams of messages exchanged between 45k WhatsApp users over a period of six months.
This included mobile numbers of the group members, and any images, videos, and web links they shared.
Data is encrypted, but that doesn't stop hackers
Even though the data researchers obtained was encrypted, it could be decrypted using a technique developed by Indian researchers L.P. Gudipaty and K.Y. Jhala. This was possible because the cipher key of the encrypted data was stored inside the RAM of the mobile device itself.
Not the first time WhatsApp group chats are under scrutiny
Earlier, German cryptographers had discovered that anyone who is in control of WhatsApp's servers can infiltrate group chats. This meant that cybercriminals could add new people to WhatsApp group chats without the permission of the group admin, giving them access to unwarranted information.