As described in a newly published paper, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema", anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group.
The researchers presented their findings at the Real World Cryptosecurity conference in Zurich on Wednesday (10 January), Wired reports.
"The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group". Someone with control of WhatsApp's servers can add a new person to a group without administrator even knowing, is what the researchers claim.
The researchers also claim that they notified WhatsApp of the flaw, but were told that the group invitation bug was merely a "theoretical" problem, and thus did not qualify for Facebook's bug bounty program.
Paul Rösler, Christian Mainka, and Jörg Schwenk analyzed the three widely used protocols and their implementations, and found that if someone - e.g., nation-state backed hackers (illegally), or law enforcement or intelligence agencies (legally) - gains control of WhatsApp's servers, they could easily insert a new member in a private group without the permission of the group's administrator (s).
Essentially, Stamos said the researchers report was flawed, as no one can secretly add a new member to a group.
"Our systematic analysis reveals that the groups' closeness - represented by the members' ability of managing the group - are not end-to-end protected", said the researchers.
But management at WhatsApp's parent company, Facebook insisted that there was no security threat.
Mobile announces new deals on iPhones, Samsung Galaxy, and LG phones
You can buy an iPhone 7 , iPhone 7 Plus , iPhone 8 (64GB) Galaxy S8, LG G6 , LG V20, LG V30, or LG V30+ and get a second for free. T-Mobile has announced its latest promotion, buy one iPhone, get one free .
Jay Bruce returns to Mets on 3-year deal
The Mets have reached a three-year deal worth $39 million with the free agent slugger, WFAN baseball insider Jon Heyman reported. In 2012, the NL MVP was Giants catcher Buster Posey and in 2013, the NL MVP was Pirates outfielder Andrew McCutchen .
Could It Be … Finally? Black Widow's Standalone Movie Scores a Writer
According to Variety's sources, the whole idea is "still very early development" and the film doesn't yet have a greenlight. Hopefully, Black Widow will be heavy on the espionage and hard action and easy on the pure superheroics.
Once you are added to a group, the phones of the rest of the participants automatically send their secret keys to the new member, giving him or her access to any new messages from thereon.
WhatsApp introduced end-to-end encryption to assure users that their conversations can not be accessed, even if the company providing it so desires.
"When an administrator wishes to add a member to a group, it sends a message to the server identifying the group and the member to add".
And Facebook's Chief Security Officer Alex Stamos took to Twitter to rubbish the claims.
While, the group and the chats themselves have a layer of end-to-end encryption, the servers that the chats run on don't. All group members will see that the attacker has joined.
"We've looked at this issue carefully", a WhatsApp spokesman said in a statement. However, this potential gap in security should serve as a reminder for businesses and users to keep a close eye on their encryption services and their cryptographic keys, ' he adds.
"WhatsApp is built so group messages can not be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent". They will have to use the "Message Admin" button to post a message or share media to the group.
"In contrast, Telegram does no encryption at all for group messages, even though it advertises itself as an encrypted messenger, and even though Telegram users think that group chats are somehow secure".