A group of German researchers at Real World Crypto security conference in Switzerland announced that they have discovered security flaws in WhatsApp’s end-to-end encryption. In a report from Wired , the researchers say that anyone who controls WhatsApp’s servers can add people into private group chats, without getting the admin’s permission. The new member would be able to read all messages going forward, breaking the confidentiality of the group and negating end-to-end encryption.
The value for end-to-end encryption gets little when any uninvited member is added to a group “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” Wired quotes Paul Rösler, one of the Ruhr University researchers who co-authored a paper on the group messaging vulnerabilities.Although this is a serious concern, the requirement that this method has of controlling WhatsApp servers would appear to limit the risk factors a little. Extremely sophisticated hackers, WhatsApp’s own staff, and state actors are the different kinds of people who would be able to exploit this. And even then, all messages previous to the insertion of a new member would remain private.
Facebook’s Chief Security Officer Alex Stamos, responding to the report on Twitter, said, “Read the Wired article today about WhatsApp – scary headline! But there is no [sic] a secret way into WhatsApp groups chats.”