This setting, enabled by default on all WhatsApp accounts, could facilitate malicious intrusions via group chats.
Almost everyone is part of at least one group chat on WhatsApp: family to share photos, friends to schedule a dinner, colleagues to organize a surprise birthday, or even a news group to follow local news. These threads of messages accumulate and end up punctuating our days. But it also happens that we are added to a group without really realizing it, sometimes by a simple contact who has our number. We then discover dozens of messages, strangers in the list of participants, and his own number visible to everyone. However, finding yourself in a group with people who are not in our contacts is not trivial: it exposes your telephone number, your profile photo or your status to strangers, and can open the door to canvassing, scams or the unwanted sharing of your information. What seems like a simple conversation can therefore, without vigilance, become a real subject of confidentiality.
Indeed, according to researchers from Google’s Project Zero team and the cybersecurity company Malwarebytes, a hacker must have at least one contact of his target to integrate him into a newly created collective conversation. “According to Project Zero, this attack is relatively easy to replicate once the attacker has a list of potential targets.”. Profiles handling sensitive information logically appear more exposed, without this affecting all users.
The central point is not a massive hack, but a setting enabled by default. As Malwarebytes explains: “Google’s Project Zero has just revealed a vulnerability in WhatsApp that allows a malicious media file, sent in a newly created group chat, to be automatically downloaded and used as an attack vector.” The company specifies that this bug affects WhatsApp on Android and allows files to be downloaded without user action in group chats.
It is therefore recommended to restrict who can add you to a group by changing the setting from “Everyone” to “My Contacts”, or even excluding certain numbers, and to disable automatic media downloading in “Storage & Data”, so that no files are saved without validation. WhatsApp has indicated that it has deployed a fix: in other words, keeping the application up to date allows you to benefit from the latest protections available.
