Essentially, anyone who controls WhatsApp's servers could easily add new unidentified people into WhatsApp groups without the permission of the group administrator despite the administrator having full access to adding and removing members.
The issues are encryption flaws and were detailed at the Real Word Crypto security conference in Zurich, Switzerland by researchers from Ruhr University Bochum in Germany. However, the representative admitted research findings but added that if someone new would be added to the group chat, every other member, including the admin, would be alerted about it. Only an administrator of a WhatsApp group can invite new members, but WhatsApp doesn't use any authentication mechanism for that invitation that its own servers can't spoof.
Once the eavesdropper is in the group, he/she would have access to all future messages sent on the group as WhatsApp would generate secret keys for each member in the group and share it with the newcomer.
With over 1.2 billion monthly active users, WhatsApp is available in more than 50 different languages around the world and in 10 Indian languages.
CNN's Chief White House Correspondent Calls Trump A 'Racist' Live On-Air
"Obviously that is not the kind of language you would expect to come out of the president of the United States", he said . Last year, Trump accused the Obama administration of wiretapping Trump Tower during the 2016 presidential campaign.
An attacker would have to take control of WhatsApp servers which means a sophisticated hacker, a WhatsApp staffer or a government with legal authority could gain access, even though end-to-end encryption is supposed to protect users from even these sorts of attacks. And as only new messages can be viewed by a new member, the risk to privacy is mitigated somewhat. According to the German researchers, the power of any WhatsApp group lies in WhatsApp servers and not the group admin.
Facebook's Chief Security Officer Alex Stamos in a Twitter thread said that it was impossible for anyone to infiltrate WhatsApp's private groups. "Entering the group however leaves traces since this operation is listed in the graphical user interface", the paper states, though it adds that the flaws also allow the attacker to hide their tracks. Also, if the attacker controls the server, he or she can block the messages sent by users who might question the new addition or warn others about it. "And if not, the value of encryption is very little", he added. WhatsApp has noted that if it were to immediately fix the flaw it could cause problems with allowing legitimate new members to join the group though the use of a shared URL.
But the shoddy security around WhatsApp's group chats should make its most sensitive users wary of interlopers, Rösler argues.