WhatsApp tries its best to reassure users that it practices secure communications to maintain privacy. This is mostly done through end-to-end encryption that prevents third parties from deciphering the content of messages. However, researchers have found a flaw in the messaging service’s servers that allow attackers to bypass the encryption by simply joining private chat groups.
This vulnerability requires an attacker to gain access to the WhatsApp servers, which makes it a little difficult to pull off. However, once access is gained (which is what the researchers did) it is a small matter of being added to any and all chats.
Group chats are usually formed when the admin creates a room and adds individuals to it. For the most part, this is an encrypted process that is relatively secure. However, it turns out that the WhatsApp servers do not authenticate invites from an admin; instead simply approving anything that remotely looks like it came from the right person.
Fortunately, this doesn’t mean that people can be added to chat groups in secret. Participants will still see a notification that someone has been added, and vigilant users will be able to spot the interloper. Of course, the notification could also be lost in a sea of messages. Either way, it’s not a foolproof system.
What is worrying is that the researchers claim to have alerted WhatsApp to the flaw last year. Despite this, the messaging service has not done anything to solve the problem. The excuse is that closing the problem would end up breaking the public invite link feature that allows anyone to join a chat group through a URL.
This vulnerability isn’t all that dangerous on its own, and probably won’t be used on that many people. However, the worry is that it may be used by nation-states to spy on people; which essentially violates their rights to privacy. Although most nation-states that spy on their own citizens don’t really recognise most human rights.