WhatsApp likes to brag about its end-to-end encryption, but researchers from Germany’s Ruhr University Bochum have discovered a flaw that could allow unwanted eyes to spy upon your private group chats.

In a technical research paper that explores the end-to-end security of three different secure messaging apps capable of allowing “private” group chats, researchers found the most serious shortcomings in the immensely popular WhatsApp platform.

The research paper, presented at the Real World Crypto security conference in Switzerland, describes how it would be possible for a complete stranger to add themselves to an encrypted WhatsApp group chat. Although past messages sent to the group would not be visible to the intruder, they could receive future messages.

Clearly, that’s far from good news, but avid WhatsApp users will be relieved to hear that the addition of the unauthorised party is no secret. Every member of the group receives a message saying that someone new has joined the chat, albeit apparently at the invitation of the group chat’s administrator.

Eagle-eyed members of the group, of the administrator themselves, may notice the interloper and warn the legitimate group’s members.

WhatsApp’s failing is possible because the platform fails to properly authenticate group invitations, the paper makes clear:

The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces, since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually (Read more...)