As described in a newly published paper, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema", anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group. A report from Wired says that a group of researchers from the Ruhr University Bochum in Germany discovered a major flaw in WhatsApp group chat mechanism.
One of the features that WhatsApp added to its messenger service a couple of years ago is end-to-end encryption of messages.
Even the researchers who have come up with this security loophole agree to the fact that the level of sophistication needed to compromise the servers of WhatsApp makes such attacks on WhatsApp groups unlikely.
"If someone hacks the WhatsApp server, they can obviously alter the group membership".
The full research paper, released this week at the Real World Crypto security conference held in Zurich, someone accessing WhatsApp's servers could add someone to a private group chat and read messages or even re-order, remove or add messages to the chat.
German cryptographers claim that the flaw makes it easy for anyone to infiltrate private group chat without the permission of the group admin. WhatsApp, however, has turned down the claim.
"Our systematic analysis reveals that the groups' closeness - represented by the members' ability of managing the group - are not end-to-end protected", said the researchers. But it has become hard for WhatsApp to keep up the security standards, most importantly when it comes to group chats.
Once you are added to a group, the phones of the rest of the participants automatically send their secret keys to the new member, giving him or her access to any new messages from thereon.
So far, we have been led to believe that end-to-end encryption in mobile phones and messaging apps like iMessage, WhatsApp and Telegram ensures that messages sent and received by users are so well scrambled that the services themselves can not access or read them.
Responding to the report, WhatsApp said, "We've looked at this issue carefully".
While, the group and the chats themselves have a layer of end-to-end encryption, the servers that the chats run on don't.
This means they have access to all future messages, but can not view past ones.
This is because a notification does go through that a new, unknown member has joined the group, alerting people of the new unknown member.
But this new flaw means it would now technically be possible to infiltrate group messages, bypassing encryption.
He rounded up the conversation by saying - "In sum, the clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping".
Open Whisper Systems, the creators of Signal, told Wired that they are now redesigning how Signal handles group messaging, but did not share any more than that.
"The privacy and security of our users are incredibly important to WhatsApp".