Researchers have uncovered a serious security vulnerability in WhatsApp that could allow hackers or government spies to slide unnoticed into group chats in the Facebook-owned messaging app.
A team from the Ruhr University Bochum in Germany say there is a way for anyone with control of a WhatsApp server—such as a company employee or sophisticated hacker—to undermine the platform’s encryption by secretly adding members to any group.
In a paper describing the flaw, titled “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema,” the researchers explain how someone could take advantage of it.
“The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group,” the paper states.
WhatsApp responded to the issue in a statement provided to Newsweek.
“We’ve looked at this issue carefully,” a WhatsApp spokesperson said. “Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user.
“The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”
However, the paper goes on to explain how someone infiltrating a group would be able to remain unnoticed by the members after entering the group.
“The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group,” the paper states. “Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members.
“Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces.”
WhatsApp noted that group members could view the other members of the group by tapping on “group info,” though the security flaw would mean that encryption would not protect WhatsApp users who have not checked this and are therefore unaware that their group has been infiltrated.
It is not the first serious vulnerability that researchers have discovered on WhatsApp’s messaging platform, with security firm Checkpoint uncovering a loophole last year that allowed hackers to completely take over users’ accounts and access conversations, contact lists, photos, videos and other shared media.
WhatsApp told Newsweek at the time: “We build WhatsApp to keep people and their information secure. When CheckPoint reported the issue, we addressed it within a day and released an update for web.”
WhatsApp has also noted that it has consistently pushed back on government requests to break encryption.