After the acquisition by Facebook, Inc. , WhatsApp Messenger is equipped with many interesting features such as privacy settings, read receipts, ability to report as spam, sending PDF files, multiple group admins, Whatsapp group links etc.
WhatsApp allows a group admin to add multiple admins. This feature may cause trouble to group admins who created the group as they say ‘a feature to you is a vulnerability to me’ . It can be exploited by a malicious attacker to take over any whatsapp group if he is one of the group admins. The intention of writing this article is to make you aware that you should not make an unknown person your ‘group admin’. Please, Do not cause any trouble to others by using this trick. It can be categorized as a ‘Social Engineering Attack’ , in which users’ trust is exploited.
This is a very simple trick and does not require special technical skills. In order to perform this trick you must be a group admin of a whatsapp group. There may be nerds out there who knows this trick and some of them may have applied it.
Let’s get into some more details of this trick/hack. We will explain it by example of two group admins Bob, Alice and an attacker John Doe. Bob and Alice are group admins of a single WhatsApp group named ‘Yog Lovers’. The group is created to understand Yoga. Anyone interested in Yog can join this group. There were too many people spamming the group. Bob and Alice did not have much spare time to monitor the group so they were approached by a third person named ‘John’. John was made the third admin by Bob to monitor spam and remove people involved in spamming. John removed Bob and Alice and added them again. now John took over the ‘Yog Lovers’ whatsapp group and this is how John exploited Bob and Alice’s trust and performed a successful social engineering attack.
I reported this issue to Whatsapp support team explaining this potential loophole using an example and suggested them to introduce a ‘Moderator’ status, so a ‘Moderator’ can manage the group but he/she can not remove group ‘admins’. Here’s what whatsapp support replied in our email conversation.
“This is not a security flaw, it is intended. In WhatsApp we would like to promote trust. This is true and the new admin can remove the first admin and become the only admin. The solution is to give admin status to participants you trust.” -WhatsApp Support Team
WhatsApp suggests us to “give admin status to participants we trust”. We do respect Whatsapp’s statement regarding this issue. so kindly do not give unknown people admin status. it may be your last mistake as that group’s admin.
Facebook have a mechanism to assign page roles to people who manages a Facebook page.
Facebook page has an ‘Admin’ who created the page. ‘Admin’ can create other Admins, Editors, Moderators and Analysts. page roles and their privileges are as the screenshot below. Only ‘page admins’ can assign or change these roles.so Whatsapp can also follow such techniques to prevent this attack. Whatsapp can also apply such technique to prevent misuse of this trick.
Once again, I suggest you not use this trick to harass your friends/group admins. Social media is a platform that must be used responsibly.
You have found this information interesting and useful. Don’t forget to like us on Facebook and follow us on Twitter for more tricks! www.twitter.com/join_cwm
[wpdevart_like_box profile_id=”792637984138412″ connections=”show” width=”300″ height=”150″ header=”small” cover_photo=”show” locale=”en_US”]
SHARE this post with your friends and family members, they might be group admins of several groups in Whatsapp.
- Temporary Solution If You Received Message That Crashed Your iPhone - February 16, 2018
- This Vulnerability in phpMyAdmin Lets An Attacker Perform DROP TABLE With A Single Click! - December 29, 2017
- NO! That Windows Update Will Not Save You From WannaCry! - May 22, 2017
- [Incident Response]: How To Stay Protected From A Ransomware Attack like Wannacry? - May 14, 2017
- How to Identify a Phishing Email, Website and Where To Report? - March 5, 2017