Whatsapp servers can be compromised to add people to private groups

It's a narrow flaw, but a significant one.

Dado Ruvic / Reuters

Messaging service Whatsapp made headlines in 2016 when it introduced end-to-end encryption to every message sent through the service, whether text, photo or video. Clearly security is a priority for the company. That's why it's so surprising that researchers have discovered a significant security flaw: Anyone in control of a Whatsapp server can add people to a private group with minimal effort, as reported by Wired.

The findings will be presented Wednesday at the Real World Crypto conference in Zurich. A group of researchers from Ruhr University probed multiple messaging apps for security flaws. They didn't have any major findings with Signal and Threema. Whatsapp was a different story, which you can read in the paper they published on the topic.

"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them," Paul Rösler, one of the paper's coauthors, told Wired. End-to-end security protection doesn't mean nearly as much when someone at the company can simply drop a new person into a private chat anytime they want. While usually, the administrator of a group is the only one who can invite a new person to a private chat, there isn't a mechanism currently in place to authenticate that invitation. Once a person is invited, old messages will remain encrypted, but new ones will be available to the new member.

Now, it's important to note the limits of this security flaw: Whoever was exploiting it would have to be in control of the messaging app's servers. But if a server is indeed compromised, it's not good news. WhatsApp noted to Wired that a notification would go out to all members if someone new were added to a group, so it's not possible to add someone to a private chat and keep it a secret, but the fact that the possibility exists isn't great in terms of security.