The team argues their findings undermine each app's security claims for multi-person group conversations to varying degrees. The flaw means that anyone in control of a WhatsApp server could, in theory, insert people into a conversation - either with the aim of simply eavesdropping, or diverting the conversation.
However, researchers from Germany discovered that WhatsApp's end-to-end encryption might be useless because it does not protect from unauthorized access via company's servers. "And if not, the value of encryption is very little".
But the premise of so-called end-to-end encryption has always been that even a compromised server shouldn't expose secrets.
According to the researchers, the WhatsApp attack takes advantage of a basic flaw.
The issue is that WhatsApp does not use any authentication mechanism for an invite sent out by a group administrator.
The server can easily spoof any new member to the group without asking for permission from the group administrator. If it is someone you think should not be present in the group, it is probably time to jump ship. However, users still get a notification of a new member joining.
But the Ruhr University researchers and Johns Hopkins' Green point out several tricks that could be used to delay detection.More news: Intel Security Fix Causing Reboot Issues on Haswell/Broadwell
More news: Time to test for radon
More news: State Capture Inquiry - Mkhwebane Reacts, Raising More Questions Than Answers
It is not the first serious vulnerability that researchers have discovered on WhatsApp's messaging platform, with security firm Checkpoint uncovering a loophole a year ago that allowed hackers to completely take over users' accounts and access conversations, contact lists, photos, videos and other shared media. The server then checks that the user is authorized to administer that group, and (if so), it sends a message to every member of the group indicating that they should add that user.
Facebook's Chief Security Officer Alex Stamos wrote on Twitter that the bug is not effective because WhatsApp users are notified when new members join conversations. A group of German Cryptographers have spotted this major flaw in WhatsApp.
Encryption has always been one of the more hard elements of group chat; the best protection in the world can not stop unintended readers from seeing messages once they've been decoded.
In a statement to Wired, WhatsApp said it had looked into the problem.
If admin creates a group chat, he or she has a right to add other members. Also, if the attacker controls the server, he or she can block the messages sent by users who might question the new addition or warn others about it.
WhatsApp has launched a feature in its beta version that will let users switch to video calls from voice calls at the touch of a button. But that possibility of detection isn't an adequate solution to WhatsApp's underlying problem, argues John Hopkins' Green.