As described in a newly published paper, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema", anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group.
The researchers presented their findings at the Real World Cryptosecurity conference in Zurich on Wednesday (10 January), Wired reports.
"The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group". Someone with control of WhatsApp's servers can add a new person to a group without administrator even knowing, is what the researchers claim.
The researchers also claim that they notified WhatsApp of the flaw, but were told that the group invitation bug was merely a "theoretical" problem, and thus did not qualify for Facebook's bug bounty program.
Paul Rösler, Christian Mainka, and Jörg Schwenk analyzed the three widely used protocols and their implementations, and found that if someone - e.g., nation-state backed hackers (illegally), or law enforcement or intelligence agencies (legally) - gains control of WhatsApp's servers, they could easily insert a new member in a private group without the permission of the group's administrator (s).
Essentially, Stamos said the researchers report was flawed, as no one can secretly add a new member to a group.
"Our systematic analysis reveals that the groups' closeness - represented by the members' ability of managing the group - are not end-to-end protected", said the researchers.
But management at WhatsApp's parent company, Facebook insisted that there was no security threat.
Chris Hemsworth and Margot Robbie's quiz show battle
TWO of our most famous acting exports have taken each other on in a battle to be crowned the best Aussie on The Ellen Show. The pair, who Wednesday in 2016, had just arrived at their resort in Tahiti when rain forced them to head to the gym.
Isaiah Thomas gets ejected after brutally fouling Andrew Wiggins
Cleveland will be without point guard Derrick Rose (ankle) and possibly small forward Iman Shumpert (foot) on Thursday night. Even the best teams struggle at times and Cleveland still has more than enough time to turn it around.
Meghan Markle Just Deleted Her Instagram and Twitter - Here's Why
Though her account was still active until just a few hours ago, she hasn't been using social media much as of late. The royal wedding of Prince Harry and the American actress will take place on May 19.
Once you are added to a group, the phones of the rest of the participants automatically send their secret keys to the new member, giving him or her access to any new messages from thereon.
WhatsApp introduced end-to-end encryption to assure users that their conversations can not be accessed, even if the company providing it so desires.
"When an administrator wishes to add a member to a group, it sends a message to the server identifying the group and the member to add".
And Facebook's Chief Security Officer Alex Stamos took to Twitter to rubbish the claims.
While, the group and the chats themselves have a layer of end-to-end encryption, the servers that the chats run on don't. All group members will see that the attacker has joined.
"We've looked at this issue carefully", a WhatsApp spokesman said in a statement. However, this potential gap in security should serve as a reminder for businesses and users to keep a close eye on their encryption services and their cryptographic keys, ' he adds.
"WhatsApp is built so group messages can not be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent". They will have to use the "Message Admin" button to post a message or share media to the group.
"In contrast, Telegram does no encryption at all for group messages, even though it advertises itself as an encrypted messenger, and even though Telegram users think that group chats are somehow secure".