As described in a newly published paper, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema", anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group.
The researchers presented their findings at the Real World Cryptosecurity conference in Zurich on Wednesday (10 January), Wired reports.
"The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group". Someone with control of WhatsApp's servers can add a new person to a group without administrator even knowing, is what the researchers claim.
The researchers also claim that they notified WhatsApp of the flaw, but were told that the group invitation bug was merely a "theoretical" problem, and thus did not qualify for Facebook's bug bounty program.
Paul Rösler, Christian Mainka, and Jörg Schwenk analyzed the three widely used protocols and their implementations, and found that if someone - e.g., nation-state backed hackers (illegally), or law enforcement or intelligence agencies (legally) - gains control of WhatsApp's servers, they could easily insert a new member in a private group without the permission of the group's administrator (s).
Essentially, Stamos said the researchers report was flawed, as no one can secretly add a new member to a group.
"Our systematic analysis reveals that the groups' closeness - represented by the members' ability of managing the group - are not end-to-end protected", said the researchers.
But management at WhatsApp's parent company, Facebook insisted that there was no security threat.
Isaiah Thomas gets ejected after brutally fouling Andrew Wiggins
Cleveland will be without point guard Derrick Rose (ankle) and possibly small forward Iman Shumpert (foot) on Thursday night. Even the best teams struggle at times and Cleveland still has more than enough time to turn it around.
'Dixie' dropped from name of Dolly Parton's dinner show
Parton announced the show is dropping the "Dixie" from its name and will now go by " Dolly Parton's Stampede ". The show's official website has already been changed to reflect the new name, Dolly Parton's Stampede.
Pakistani father of slain girl blames police for slow action
Child protection is a responsibility of every sane citizen, let's pledge to be vigilant if we see any child vulnerable". DNA samples have reportedly been taken from dozens of potential suspects, but no one has yet been arrested.
Once you are added to a group, the phones of the rest of the participants automatically send their secret keys to the new member, giving him or her access to any new messages from thereon.
WhatsApp introduced end-to-end encryption to assure users that their conversations can not be accessed, even if the company providing it so desires.
"When an administrator wishes to add a member to a group, it sends a message to the server identifying the group and the member to add".
And Facebook's Chief Security Officer Alex Stamos took to Twitter to rubbish the claims.
While, the group and the chats themselves have a layer of end-to-end encryption, the servers that the chats run on don't. All group members will see that the attacker has joined.
"We've looked at this issue carefully", a WhatsApp spokesman said in a statement. However, this potential gap in security should serve as a reminder for businesses and users to keep a close eye on their encryption services and their cryptographic keys, ' he adds.
"WhatsApp is built so group messages can not be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent". They will have to use the "Message Admin" button to post a message or share media to the group.
"In contrast, Telegram does no encryption at all for group messages, even though it advertises itself as an encrypted messenger, and even though Telegram users think that group chats are somehow secure".