WhatsApp is an instant messaging platform which is preferred by millions of users across the globe, thanks to the clean user interface. German Cryptographers, in their research, have found out that WhatsApp group chats are hackable citing that any new member can read the group chats. A report from Wired says that a group of researchers from the Ruhr University Bochum in Germany discovered a major flaw in WhatsApp group chat mechanism.
As per the report, any hacker can gain access to a group chat on WhatsApp, despite end-to-end encryption. According to the German researchers, the power of any WhatsApp group lies in WhatsApp servers and not the group admin. So they highlighted that any person who controls the app’ servers could get the access the WhatsApp group chat.
“Anyone who controls the app’s servers could insert new people into private group chats without needing admin permission,” the report said. So the group admins can add any member to a group without requiring the permission of the admin. “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Paul Rosler, one of the Ruhr University researchers quoted.
Here’s how the researchers explained the bug on WhatsApp. Only the administrator of a WhatsApp group can invite new members, but WhatsApp doesn’t use any authentication mechanism for that invitation that its own servers can’t spoof. This allows the server controller to add a new group person without the group admin’s knowledge.
“The phone of every participant in the group then automatically shares secret keys with that new member, giving him or her full access to any future messages,” the report added.
The researchers also spoke about the end-to-end encryption which was introduced by WhatsApp a couple of years ago. “If I hear there’s end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little,” further added Paul Rosler.
A WhatsApp spokesperson said to the Wired that “no one can secretly add a new member to a group and a notification does go through that a new, unknown member has joined the group”.
WhatsApp is yet to respond to this report.