The full research paper, released this week at the Real World Crypto security conference held in Zurich, someone accessing WhatsApp's servers could add someone to a private group chat and read messages or even re-order, remove or add messages to the chat.
A WhatsApp bug that allows anyone to infiltrate private group chats has been uncovered by researchers.
According to experts at the Ruhr University Bochum in Germany, it's possible for spies to enter a group chat without your permission.
Reacting to the report, Facebook Chief Security Officer Alex Stamos tweeted: "Read the Wired article about WhatsApp - scary headline!" According to the paper, investigation into "end-to-end protected group communications" has gained only little attention.
So far, we have been led to believe that end-to-end encryption in mobile phones and messaging apps like iMessage, WhatsApp and Telegram ensures that messages sent and received by users are so well scrambled that the services themselves can not access or read them. "I think it would be better if the server didn't have metadata visibility into group membership, but that's a largely unsolved problem, and it's unrelated to confidentiality of group messages", he added.More news: Bollywood beauty Anushka Sharma returns to 'Zero' life
Security researcher Moxie Marlinspike in a forum post explained how WhatsApp group messaging works. While only admins can invite new members, the company doesn't utilize any authentication mechanism for this invite that its servers can't spoof. According to them, the intrusion can be carried out by anyone who could controls app's servers.
Group chat app Signal was found to have the same problem as WhatsApp, but as well as controlling the server the attacker also needs to know the chat's Group ID - which is nearly impossible to know without having physical access to one of the phones in the message thread.
While the exploits in Threema and Signal seemed to be relatively harmless, WhatsApp had far more significant gaps in security. "The main exception to this is former group members, who already know the group ID - and can now add themselves back to the group with impunity".
"While our investigation focuses on three major instant messaging applications, our methodology and the underlying model is of generic goal and can be applied to other secure group instant messaging protocols as well", researchers concluded in the paper.
The idea behind encryption is to muddle your messages so only you and the recipient can read texts you send. "Existing members are notified when new people are added to a WhatsApp group". Since the group ID is a random 128-bit number (and is never revealed to non-group-members or even the server) that pretty much blocks the attack. "The chat app in 2016 brought the chat end-to-end encryption". "An attacker who compromises the Telegram server can, undetected, recover every message that was sent in the past and receive all messages transmitted in the future without anyone receiving any notification at all".