A WhatsApp bug that allows anyone to infiltrate private group chats has been uncovered by researchers.
Reacting to the report, Facebook Chief Security Officer Alex Stamos tweeted: "Read the Wired article about WhatsApp - scary headline!" In Signal's case, the same group chat attack in WhatsApp is also found in the app.
However, researchers from Germany discovered that WhatsApp's end-to-end encryption might be useless because it does not protect from unauthorized access via company's servers.
It is common for existing members to be alerted when new members are added to the WhatsApp group. A research paper released at a security event this week describes how group chats can be leveraged by snoops.
According to the research, Signal and WhatsApp fail to properly authenticate who is adding a new member to the group and it is possible for an unauthorised person, who is not even a member of the group, to add someone to the group chat.
According to WABetaInfo, a fan site that tests new WhatsApp features early, the popular mobile messaging platform has submitted the "Restricted Groups" setting via Google Play Beta Programme in the version 2.17.430.
According to the team, anyone with access to WhatsApp's servers could easily insert new people into a private group without needing the permission of the administrator.
WhatsApp said it had "carefully looked" at the flaw and reassured users that their encrypted messages were safe.
"The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group", the paper states.
Everyone in the group would see a message that a new member had joined, seemingly at the invitation of the unwitting administrator. The fear for some people is that this security flaw will result in WhatsApp being coerced by government agencies into allowing the flaw to be exploited to eavesdrop on conversations. In such a case, it is impossible for them to share details with enforcement agencies that they themselves can not access.
So if you see someone new entering your group, speak to the other members in private chats to confirm the new person's identity. "There is no way to suppress this message", he wrote. "For example, it would be interesting to analyze the group chat implementations of other Signal-based messaging protocols, such as Google's Allo, Wire, and Facebook Messenger, or even non Signal-based protocols similarly to our investigation of Threema". "An attacker who compromises the Telegram server can, undetected, recover every message that was sent in the past and receive all messages transmitted in the future without anyone receiving any notification at all".