Despite WhatsApp’s secure end-to-end encryption for messages, German researchers have found a loophole that could allow hackers to worm their way into WhatsApp’s group chats.
But management at WhatsApp’s parent company, Facebook insisted that there was no security threat.
The researchers found that anyone who controls the app’s servers could insert new people into private group chats without needing admin permission.
After an initial story was published by WiredFacebook’s chief security officer, Alex Stamos tweeted that it was not possible to access WhatsApp group chats.
“Read the Wired article today about WhatsApp – scary headline! But there is no a secret way into WhatsApp groups chats,” Stamos said on Twitter.
In a further response from Stamos he said there were multiple ways to check and verify the members of a group chat. He argued that since all members of a group chat can see who joins a chat, they’ll be notified of any eavesdroppers.
At the moment WhatsApp servers can only be accessed by its employees and governments who follow the legal route to gain access through court orders.
According to the research paper published by the German cryptographers "the subsequently described protocol design weakness allows an attacker, controlling some of the messages sent by the WhatsApp server, to become a member of the group or add other users to the group without any interaction of the other users.”
“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Paul Rösler, one of the researchers told Wired.
Also the mobile number of every participant in the WhatsApp group shares secret keys with the ‘new member’ giving them full access to future messages.