They added that "WhatsApp doesn't use any authentication mechanism" when a new member is added to the group and this is something its own servers can spoof as well.
German researchers have claimed there is a way to infiltrate WhatsApp's group chats and listen on private messages, despite its end-to-end encryption. Now researchers have found a vulnerability in encrypted group chats on WhatsApp and Signal messaging apps that could allow an outsider to access and even manipulate personal conversations.
WhatsApp has also noted that it has consistently pushed back on government requests to break encryption.
But the flaw can only be exploited if attackers can get access to WhatsApp's servers.
The WhatsApp attack on group chats takes advantage of a bug.More news: Browns add Eliot Wolf to the rebuilt front office
Encryption has always been one of the more hard elements of group chat; the best protection in the world can not stop unintended readers from seeing messages once they've been decoded.
"Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces".
The researchers have disclosed their findings to the three companies developing the messengers last summer, and Threema has already pushed out a fix.
WhatsApp is yet to respond to this report. Usually, only admins can add the new members to private groups. "We built WhatsApp so group messages can not be sent to a hidden user".
"The privacy and security of our users are incredibly important to WhatsApp".More news: US Democratic Senator Releases Fusion GPS Testimony in Russia Probe
So far, we have been led to believe that end-to-end encryption in mobile phones and messaging apps like iMessage, WhatsApp and Telegram ensures that messages sent and received by users are so well scrambled that the services themselves can not access or read them.
However, the platform told Wired the bug didn't qualify for the bug bounty program run by Facebook, which owns WhatsApp.
Of course, this doesn't excuse the presence of a security hole. They say that they plan on revealing similar flaws in apps such as Signal and Threema.
While, the group and the chats themselves have a layer of end-to-end encryption, the servers that the chats run on don't. However, with Signal, an impostor would need to control the Signal server, and would need to know the Group ID and the phone number of one member, researchers said in the paper.
This is because a notification does go through that a new, unknown member has joined the group, alerting people of the new unknown member. The application has been designed in such a way that the group messages can not be sent to any hidden user.More news: Mevani satisfied with turnout despite anti-rally campaign
The objective of having an end-to-end encryption is to stop trusting the intermediate servers in such a way that even the company or the server that transmits the data can decrypt the messages or abuse the centralized position.