The team, which hails from Ruhr University Bochum in Germany, presented their find in a research paper on Wednesday at the Real World Crypto security conference in Zurich, Switzerland. All group members are deemed administrators, and can thus add a new group member by sending an encrypted group management message to the other participants.
And once that new person is added, the phone of each member of that chat group automatically shares secret keys with that person, giving them full access to all future messages, but not past ones. "On WhatsApp, existing members of a group are notified when new people are added", said Stamos.
"He can cache all the message and then decide which get sent to whom and which not", Rosler said. Since the group ID is a random 128-bit number (and is never revealed to non-group-members or even the server) that pretty much blocks the attack.
The research group turned its attention to messaging tools Signal, WhatsApp, and Threema, but it was only Facebook's WhatsApp that gave cause for concern. They should utilize the Message Admin catch to post a message or offer media to the gathering.
Facebook's Chief Security Officer Alex Stamos wrote on Twitter that the bug is not effective because WhatsApp users are notified when new members join conversations.
"We've looked at this issue carefully", a WhatsApp spokesperson wrote in an email. This allows the server controller to add a new group person without the group admin's knowledge.
But the shoddy security around WhatsApp's group chats should make its most sensitive users wary of interlopers, Rösler argues.
The researchers recommend in their paper that users who rely on absolute privacy should stick to Signal or individual private messaging. "And if not, the value of encryption is very little".
WhatsApp noted that group members could view the other members of the group by tapping on "group info", though the security flaw would mean that encryption would not protect WhatsApp users who have not checked this and are therefore unaware that their group has been infiltrated.
'We built WhatsApp so group messages can not be sent to a hidden user.