[v1nc]

As said here: https://www.wired.com/story/whatsapp-security-flaws-encrypti...

"The researchers say that Open Whisper Systems, the non-profit that runs and maintains Signal, nonetheless responded to their work, saying that it's currently redesigning how Signal handles group messaging. Open Whisper Systems declined to comment on the record to WIRED about the Ruhr researchers' findings."

"In a phone call with WIRED, a WhatsApp spokesperson confirmed the researchers' findings. [...]And the WhatsApp spokesperson also noted that preventing the Ruhr University researchers' attack would likely break a popular WhatsApp feature that allows anyone to join a group simply by clicking on a URL." So I don't think WhatsApp will fix it.

[dx034]

And to be honest, it could be better for security not fixing it. This way people will stay with whatsapp and most chats remain e2e encrypted and safe. If Whatsapp breaks these features, people could switch to other messengers without e2e encryption (e.g. Facebook messenger) for group chats.

And for those concerned about the issue, you can monitor the member list and make sure you carefully check all messages. If you're really concerned about encryption that's what you should do anyway.

[baby]

> would likely break a popular WhatsApp feature that allows anyone to join a group simply by clicking on a URL

I think this is false, I wrote that on the Wired thread, but here's a way to fix it:

1. when you create a joining link, it creates a secret uuid

2. this uuid is shared with the rest of the group

3. if Alice joins the group, every uuid created is shared to Alice (except the one Alice used, if Alice used a joining link)

4. when Bob attempts to join the group via the group id, if Bob does not have a known code Bob is refused

5. if Bob uses a known code, Bob is accepted and everyone deletes the code

This does not prevent different participant views to be created, but this is already a problem in WA anyway.