According to the researchers, once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group. "But there is no [sic] a secret way into WhatsApp groups chats". Now, it looks like the company is all set to roll out another feature that will send notifications to users whenever they are mentioned by someone in a group.
The vulnerability enables anyone with access to WhatsApp servers to join a private group or insert others without the permission of the chat's administrator.
Once a person is added, everyone in the chat automatically shares secret keys with that user. Once they're in, the hackers can only monitor future communication, which keeps past messages safely tucked away from prying eyes.
The experts planned to reveal their findings at the Real World Crypto security conference Wednesday in Switzerland.
On the surface, the social messaging app that is owned by Facebook seems to have a major security flaw. Chats are protected by a unique code which is shared only with members of conversation.
This means they have access to all future messages, but can not view past ones.
According to WABetaInfo, a fan site that tests new WhatsApp features early, the new option, present in the Group Info section as "Dismiss as admin", allows an administrator to dismiss another one without removing him or her from the group.
The researchers suggest that those seeking absolute privacy should stick to one-to-one chats or use a different encrypted messaging service.
Reacting to the report, Facebook Chief Security Officer Alex Stamos tweeted: "Read the Wired article about WhatsApp - scary headline!"
But the shoddy security around WhatsApp's group chats should make its most sensitive users wary of interlopers, Rösler argues.
'Existing members are notified when new people are added to a WhatsApp group, ' it said.
'The clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping, ' Mr Stamos wrote on Twitter.
The report, however, did not document any threat to the way end-to-end encryption protects the content of messages sent on WhatsApp. Now when an admin promotes someone to the admin position, removing them as admin meant that the person has to removed from the group.
Open Whisper Systems, the creators of Signal, told Wired that they are now redesigning how Signal handles group messaging, but did not share any more than that.