WhatsApp flaws could allow uninvited guests into group chats

WhatsApp flaws could allow uninvited guests into group chats
© Getty Images

Computer researchers have discovered a set of flaws in WhatsApp that could allow uninvited individulals into private group chats. 

WhatsApp, owned by Facebook, is a popular secure messaging application that uses end-to-end encryption.


The team of cryptographers at Ruhr University in Bochum, Germany, found a set of security weaknesses in the messaging app that together allow anyone controlling the WhatsApp server to insert other parties into a private group thread without getting permission from the administrator who controls the group.

The design flaws allow “an attacker … controlling some of the messages sent by the WhatsApp server, to become a member of the group or add other users to the group without any interaction of the other users,” according to their research paper released earlier this month. 

The researchers detailed the findings at the Real World Crypto security conference in Zurich on Wednesday, according to Wired. They also found less significant weaknesses in secure messaging apps Signal and Threema. 

While the flaws could allow an attack to gain full control of group chats on the application, any would-be attacker would still first need to take control of the WhatsApp server to exploit the security flaws. 

WhatsApp said in a statement that the company has carefully examined the issue and noted that the platform is built so that users are alerted when new people are added to a group message chat.

"We've looked at this issue carefully," a WhatsApp spokesperson said. "Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”

The research states that a would-be eavesdropper "leaves traces" of his activity but also indicates that the flaws allow the actor to hide their tracks. 

“The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface,” the paper states. 

“The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members,” the research states. “Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces.”

Updated at 2:45 p.m.