A group of German security researchers has concluded that WhatsApp group chats might not be so secure and can easily be infiltrated without permission of the group admin. The group uncovered flaws in security protocol of group of three popular instant messaging apps with WhatsApp standing out considering its 1 billion plus user base. The researchers focused on WhatsApp, Signal and Threema and presented their findings at the ''Real World Crypto security conference'' in Zurich, Switzerland, Wired reported.
The report said while Signal and Threema's flaws were not so serious, with WhatsApp they found that anyone with control of the app's servers could insert new people into private groups. This would be possible without the need for the group administrator's permission, the researchers said. WhatsApp has added end-to-end encryption across the app and made all conversations on the group private, which means it cannot be read by any third-party, be it government, criminals or even WhatsApp itself. It may be pointed out that WhatsApp relies on the Signal protocol for its end-to-end encryption.
According to the Wired report, the researchers pointed out a bug in WhatsApp's authentication system. They added that ''WhatsApp doesn't use any authentication mechanism'' when a new member is added to the group and this is something its own servers can spoof as well.
According to the researchers, in a pairwise communication, where only two users communicate with each other, the server has a limited role to pay, but in a group conversation, the role of servers increases to merge the entire process and it is here where the problem of vulnerability kicks in.
According to the research, Signal and WhatsApp fail to properly authenticate who is adding a new member to the group and it is possible for an unauthorised person, who is not even a member of the group, to add someone to the group chat.