Group chat app Signal was found to have the same problem as WhatsApp, but as well as controlling the server the attacker also needs to know the chat's Group ID - which is nearly impossible to know without having physical access to one of the phones in the message thread.
The design flaws "allows an attacker ... controlling some of the messages sent by the WhatsApp server, to become a member of the group or add other users to the group without any interaction of the other users", according to their research paper released earlier this month. This does not need require permission from the group's admin and the new person added to the group can read the group chats easily.
And once that new person is added, the phone of each member of that chat group automatically shares secret keys with that person, giving them full access to all future messages, but not past ones. They also point out that the lack of any authentication mechanism to deal with the invitation for new members also worsens the security.
Researchers have uncovered a serious security vulnerability in WhatsApp that could allow hackers or government spies to slide unnoticed into group chats in the Facebook-owned messaging app. However, users still get a notification of a new member joining.
In their paper, the researchers compared WhatsApp's security practices with those of Signal and Threema, and they ultimately concluded that WhatsApp is the least secure of the three when it comes to group messages.
Furthermore, Alex Stamos, the chief security officer for Facebook, posted his opinion on Twitter regarding the supposed threat. Existing members are notified when new people are added to a WhatsApp group.
This is because a notification does go through that a new, unknown member has joined the group, alerting people of the new unknown member.
In a statement to Wired, WhatsApp said it had looked into the problem.
WhatsApp has launched a feature in its beta version that will let users switch to video calls from voice calls at the touch of a button. Remeber the end-to-end encryption that WhatsApp uses for sending messages between users?
"At present, WhatsApp is developing this feature for iOS and it will be available soon for all users, instead for Android it is already enabled by default in the newest WhatsApp Google Play beta for Android 2.18.12", the report confirmed.
"If I hear there's end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against". Now WhatsApp is testing a feature, which will allow a particular admin to be demoted, instead of just removing them entirely from the group.