I’ve been reading the 2018 paper “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema”, which outlines several interesting vulnerabilities in the group messaging protocols of Signal and WhatsApp at the time.
The paper points out that:
In WhatsApp, the server can see and modify group membership, since group updates aren't end-to-end encrypted or authenticated.
In Signal, a user who left a group could re-add themselves without other members' awareness.
Also, both WhatsApp and Signal could forge delivery acknowledgements—meaning a message could appear as "delivered" (e.g., double check marks in WhatsApp), even if the server dropped it, because ACKs weren’t end-to-end encrypted.
Since then:
- Signal has addressed these concerns using a new group protocol described in The Signal Private Group System, and has also encrypted acknowledgements using Sealed Sender.
My question is: How has WhatsApp patched these issues—especially group membership authentication and encrypted acknowledgements—since the "More is Less" paper?
I’m especially interested in whether:
Group membership changes are now end-to-end verifiable/authenticated by clients
ACK messages are encrypted or made tamper-proof in a way similar to Signal's Sealed Sender
Any resources, whitepapers, or technical insights would be greatly appreciated!
Thanks in advance
