Despite WhatsApp’s secure end-to-end encryption for messages, German researchers have found a loophole that could allow hackers to worm their way into WhatsApp’s group chats.
But management at WhatsApp’s parent company, Facebook insisted that there was no security threat.
The researchers found that anyone who controls the app’s servers could insert new people into private group chats without needing admin permission.
After an initial story was published by Wired Facebook’s chief security officer, Alex Stamos tweeted that it was not possible to access WhatsApp group chats.
In a further response from Stamos he said there were multiple ways to check and verify the members of a group chat. He argued that since all members of a group chat can see who joins a chat, they’ll be notified of any eavesdroppers.
At the moment WhatsApp servers can only be accessed by its employees and governments who follow the legal route to gain access through court orders.
According to the research paper published by the German cryptographers “the subsequently described protocol design weakness allows an attacker, controlling some of the messages sent by the WhatsApp server, to become a member of the group or add other users to the group without any interaction of the other users.”
“The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Paul Rösler, one of the researchers said.
Also the mobile number of every participant in the WhatsApp group shares secret keys with the ‘new member’ giving them full access to future messages.
At present WhatsApp will only allow an administrator of a group to add or remove people and make certain changes to the group.
In January last year, reports leaked online saying that WhatsApp was vulnerable to interception, sparking concern over the app that marketed itself as a privacy leader.
The report said that WhatsApp messages could be read without its billion-plus users knowing this, due to a security backdoor in the way the company had implemented in its end-to-end encryption protocol.
The system relies on unique security keys “that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman,” the report said.