WhatsApp is a popular messenger service that is used extensively over mobile platforms. Since 2014 WhatsApp has introduced something called 'End to End Encryption' in order to secure the platform, which made all conversations private. This also means that no third-party can read them, be it government, criminals or even WhatsApp itself. WhatsApp incidentally relies on the Signal protocol for its end-to-end encryption. However, the WhatsApp group chats might not be as secure as the company claims.
According to a report by a team of German Security researchers, these Group chats can actually be infiltrated. The team found a security flaw in the security protocol of group messages for WhatsApp. According to this team, anyone with the control/access to the WhatsApp servers can add people into private group chats and it can be done so without the permission of the group admins.
The researchers say that this issue is a bug in Whatsapp's Authentication System. They point out that “WhatsApp doesn’t use any authentication mechanism” when a new member is added to the group and this is something its own servers can spoof as well. Someone with control of WhatsApp's servers can add a new person to a group without the administrator's knowledge.
WhatsApp confirms that they know about this flaw, they say that every time a new member is added to the group, all the group members will get a notification about the addition. In a statement to Wired, the company said, “We’ve looked at this issue carefully…Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user.”
However the messages shared before the attacker enters the group cannot be read, it does give the person access to all messages which are shared after the malicious user has been added. The researchers say there are many risks in group chats where the hacker has control of the server, because they can then manipulate who gets what messages, delete messages and more. The security researchers have argued that security protocols on group chats will need to be enhanced in light of the vulnerabilities that have been pointed out by them.