WhatsApp dismissed warnings from researchers regarding a flaw which lets anyone in control of the messaging app’s servers insert new participants into a group chat.
A representative told news site Wired the app does not enable messages to be sent to hidden users, adding that members of groups are notified when new people join: “The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted,” the representative told the news outlet.
Researchers from Ruhr University Bochum in Germany found WhatsApp does not use authentication mechanisms when people are invited into a group conversation. Normally, only group administrators can do this, but the researchers found it could also be done by someone who manages to gain control of the servers.
Wired quoted Matthew Green, a cryptography professor at Johns Hopkins University, as saying: “If you build a system where everything comes down to trusting the server, you might as well dispense with all the complexity and forget about end-to-end encryption.”
The researchers also suggested an attacker with access to WhatsApp servers could block messages in the group. The team of security researchers revealed the flaw to WhatsApp in July 2017. They believe the company should add an authentication mechanism for new group invitations.
Similar encrypted messaging apps from Signal and Threema were also found to be vulnerable to the flaw, albeit to a lesser degree.
In the case of Signal the threat is less formidable because a hacker would need to access the server as well as know the Group ID number for the chat, which the Wired report said are “essentially unguessable”. Meanwhile Threema put out a fix in a software patch.
WhatsApp’s end-to-end encryption, which secures all messages on the app so even the company itself has no way to read them, came under fire from goverments in the UK and Brazil, which want access to the messages to fight crime and terrorism.