German cryptographers from Ruhr University found that anyone who controls a WhatsApp's servers can add members to a group chat without the admin's invitation.
WhatsApp began end-to-end encryption for conversations two years ago. But research has found that it is possible to add people to private group chats without the admin's permission, according to a Wired report.
A team of German cryptographers from Ruhr University has found flaws in WhatsApp's security system.
According to the report, the team has said that anyone who controls Facebook-owned WhatsApp's servers can add people to private group chats without an invitation from the group's admin, effectively giving the uninvited member access to the messages on the group.
The uninvited member can only access messages sent after they have been added to the group. Messages sent to the group before the member joined can't be accessed and are safe from decryption, the report clarifies. But once the member has access to the group, he or she can also selectively block messages on the group.
WIRED spoke to Matthew Green, a cryptography professor at Johns Hopkins University who reviewed the Ruhr University researchers' work. "If you build a system where everything comes down to trusting the server, you might as well dispense with all the complexity and forget about end-to-end encryption," said Green.
The report says a WhatsApp spokesperson confirmed the findings but added that no one can "secretly" add members to a group. The group members will receive a notification that a new member has joined the group. The spokesperson said that if an admin spots unknown members of the group, they can alert other members through another group or one-to-one conversations.
The research examined other encrypted messaging apps as well, including Signal and Threema. The security flaws found in WhatsApp were more harmful than the ones found in Signal and Threema, according to the report.To rectify this bug in the security system, researchers suggested that WhatsApp could introduce a secret key as a way of verifying group invites.