Security researchers discovered a vulnerability in Whatsapp & Signal which allows anyone who controls the servers to covertly add new members in a private group.
The purpose of implementing end-to-end encryption was to stop anyone, be it the company himself or the server that transmits the data, from decrypting it. The vulnerability can enable anyone with the access to the server to break the transport security layer and take full control over a group chat. Since Whatsapp & Signal failed to authenticate who is adding a new member in the group, it is possible to add a member in a private group by someone who is neither a group administrator nor a member.
The end-to-end encryption feature relies on the generation of unique security keys using the acclaimed Signal protocol, developed by Open Whisper Systems. Keys are exchanged between users to guarantee communications are secure from interception by middlemen. But Whatsapp can force the new encryption keys to be made for offline users. That means new keys are generated when a user buys a new phone or reinstalls the app. Messages for the user which may have been waiting to be delivered while the user was offline are then re-encrypted and resent by the sender automatically, without the sender having had an opportunity to verify that the recipient is the person intended to receive the message. A sender is notified of the event if the sender has opted to turn on a notification in settings, but not otherwise.
In this process, the re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users' messages.
Individuals, as well as business houses, should also be extremely concerned as many work-related sensitive topics are shared in this platform.
According to the campaigners, it is a huge threat to 'Freedom of Speech'. If Whatsapp is asked by a Government agency to disclose the messaging records, it can easily grant access due to the change in keys. Thanks to the flaw, Whatsapp could potentially be exploited to conduct surveillance.
Whatsapp argued that existing members get notified when a new person is added to the group but if you are in a group of innumerable members, you are likely to ignore such notification easily.