"Anyone who controls the app's servers could insert new people into private group chats without needing admin permission", the report said. All group members are deemed administrators, and can thus add a new group member by sending an encrypted group management message to the other participants.
However, there's potential for sophisticated hackers to use techniques to selectively block new group messages, as once the new member is added the encryption keys are shared between phones using WhatsApp, which would help interlopers avoid immediate detection.
With over 1.2 billion monthly active users, WhatsApp is available in more than 50 different languages around the world and in 10 Indian languages.
According to the researchers at Ruhr University, if any hacker got the control over the WhatsApp server will get access to any group chat without admin permission. If the admin is keeping an eye on things, then he/she would know that a foreign party has entered the group and warn members about it.
WhatsApp is working on a new group notifications feature where a user will be notified every time they are mentioned by someone.
In a statement to IANS on Thursday, a WhatsApp spokesperson said: "We've looked at this issue carefully".
"The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group", the paper states. The researchers recommend in their paper that summarizes their findings that users who rely on absolute privacy should stick to Signal or individual private messaging.
The upcoming feature that sends notifications when you are mentioned in a group was initially spotted by WABetaInfo that comes up with the WhatsApp related features and updates. But there is no [sic] a secret way into WhatsApp groups chats'. Thus, servers can not detect if the admin added new members or someone unknown joined the private conversation. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted'.
However, researchers from Germany discovered that WhatsApp's end-to-end encryption might be useless because it does not protect from unauthorized access via company's servers.