A huge WhatsApp design flaw that allows anyone to infiltrate private group chats has been uncovered by security researchers.
Despite the service’s end-to-end encryption, experts say hackers can insert people into WhatsApp groups without the permission of the chat’s admin.
In response to the study, Facebook, which owns WhatsApp, has said it won’t fix the problem, and that group chats ‘remain protected’ by the app’s encryption.
A WhatsApp bug that allows anyone to infiltrate private group chats has been uncovered by researchers. Despite the service’s end-to-end encryption, experts have uncovered a way to insert people into WhatsApp groups without the permission of the chat’s admin (stock image)
Facebook’s Chief Security Officer Alex Stamos wrote on Twitter that the bug is not effective because WhatsApp users are notified when new members join conversations.
The study was presented at the Real World Crypto security conference in Zurich, Switzerland, by a group of researchers from Ruhr University Bochum in Germany.
They found that anyone with control over WhatsApp’s servers can add people to private group chats, including staff, hackers and governments who legally demand access.
Facebook, which owns WhatsApp, has denied the flaw is a problem. The firm’s Chief Security Officer Alex Stamos wrote on Twitter that the bug is not effective because WhatsApp users are notified when new members join conversations
Once a person has infiltrated a conversation, everyone in the chat automatically shares secret keys with that user.
This means they have access to all future messages, but cannot view past ones.
‘The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,’ study coauthor Paul Rösler, told Wired.
The researchers suggest that those seeking absolute privacy should stick to one-to-one chats or use a different encrypted messaging service.
Experts found that anyone with control over WhatsApp’s servers can add people to private group chats, including staff, hackers and governments who legally demand access
In response to the study, which was first reported by Wired, Facebook’s Chief Security Officer Alex Stamos wrote on Twitter: ‘Read the Wired article today about WhatsApp – scary headline! But there is no [sic] a secret way into WhatsApp groups chats.’
He said that there are multiple ways to verify group chat members, adding that users are notified of anyone new joining, including those without permission.
‘The clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping,’ Mr Stamos wrote on Twitter.
The news comes just months after WhatsApp’s highly-anticipated ‘Delete For Everyone’ feature was found to have a major flaw
‘The content of messages sent in WhatsApp groups remain protected by end-to-end encryption.’
Mr Stamos added that WhatsApp does not intend to fix the bug because it would means removing invite links, which millions of people use per day.
The news comes just months after WhatsApp’s highly-anticipated ‘Delete For Everyone’ feature was found to have a major flaw.
The innovative November update allowed users to delete messages within seven minutes of sending them.
While users were not able to see the message within WhatsApp after it was deleted, they could still see it in the notification log on Android devices
Researchers found in November that deleted messages were actually still on the device, and could easily be accessed through the app’s Settings.
Text was stored in the stored in the notification register of the Android 7.0 users, allowing them to sneakily read deleted communications.
WhatsApp has since updated the bug.