GOT CRYPTOGRAPHY? WhatsApp provides no cryptographic management for group messages The weakness creates the possibility of an insider or hacker adding rogue members. Dan Goodin – May 7, 2025 6:04 pm | 0 Credit: Stan Honda / Getty Images Credit: Stan Honda / Getty Images Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more The world has been abuzz for weeks now about the inclusion of a journalist in a group message of senior White House officials discussing plans for a military strike. In that case, the breach was the result of then-National Security Advisor Mike Walz accidentally adding The Atlantic Editor-in-Chief Jeffrey Goldberg to the group chat and no one else in the chat noticing. But what if someone controlling or hacking a messenger platform could do the same thing? When it comes to WhatsApp—the Meta-owned messenger that’s frequently touted for offering end-to-end encryption—it turns out you can. A clean bill of health except for ... A team of researchers made the finding in a recently released formal analysis of WhatsApp group messaging. They reverse-engineered the app, described the formal cryptographic protocols, and provided theorems establishing the security guarantees that WhatsApp provides. Overall, they gave the messenger a clean bill of health, finding that it works securely and as described by WhatsApp. They did, however, discover a largely overlooked behavior that should give some group messaging users pause: Like other messengers billed as secure—with the notable exception of Signal—WhatsApp doesn’t provide any sort of cryptographic means for group management. “This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King's College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.” The chance of someone exploiting this weakness to access a WhatsApp group for soccer parents is likely nil. A nation-state operative, on the other hand, trying to crash a group of government officials discussing sensitive national security issues is well within the realms of possibility. In such a case, a WhatsApp admin with sufficient system privileges could add as many users to an existing group as desired. So could an attacker who managed to hack the WhatsApp infrastructure. With many groups numbering in the dozens or even hundreds of members, the notification might not be easy to notice. The flow of adding new members to a WhatsApp group message is: A group member sends an unsigned message to the WhatsApp server that designates which users are group members, for instance, Alice, Bob, and Charlie The server informs all existing group members that Alice, Bob, and Charlie have been added The existing members have the option of deciding whether to accept messages from Alice, Bob, and Charlie, and whether messages exchanged with them should be encrypted With no cryptographic signatures verifying an existing member wants to add a new member, additions can be made by anyone with the ability to control the server or messages that flow into it. Using the common fictional scenario for illustrating end-to-end encryption, this lack of cryptographic assurance leaves open the possibility that Malory can join a group and gain access to the human-readable messages exchanged there. WhatsApp isn’t the only messenger lacking cryptographic assurances for new group members. In 2022, a team that included some of the same researchers that analyzed WhatsApp found that Matrix—an open source and proprietary platform for chat and collaboration clients and servers—also provided no cryptographic means for ensuring only authorized members join a group. The Telegram messenger, meanwhile, offers no end-to-end encryption for group messages, making the app among the weakest for ensuring the confidentiality of group messages. In contrast, the open source Signal messenger provides a cryptographic assurance that only an existing group member designated as the group admin can add new members. In an email, researcher Benjamin Dowling, also of King’s College, explained: Signal implements “cryptographic group management.” Roughly this means that the administrator of a group, a user, signs a message along the lines of “Alice, Bob and Charley are in this group” to everyone else. Then, everybody else in the group makes their decision on who to encrypt to and who to accept messages from based on these cryptographically signed messages, [meaning] who to accept as a group member. The system used by Signal is a bit different [than WhatsApp], since [Signal] makes additional efforts to avoid revealing the group membership to the server, but the core principles remain the same. On a high-level, in Signal, groups are associated with group membership lists that are stored on the Signal server. An administrator of the group generates a GroupMasterKey that is used to make changes to this group membership list. In particular, the GroupMasterKey is sent to other group members via Signal, and so is unknown to the server. Thus, whenever an administrator wants to make a change to the group (for instance, invite another user), they need to create an updated membership list (authenticated with the GroupMasterKey) telling other users of the group who to add. Existing users are notified of the change and update their group list, and perform the appropriate cryptographic operations with the new member so the existing member can begin sending messages to the new members as part of the group. Most messaging apps, including Signal, don’t certify the identity of their users. That means there’s no way Signal can verify that the person using an account named Alice does, in fact, belong to Alice. It’s fully possible that Malory could create an account and name it Alice. (As an aside, and in sharp contrast to Signal, the account members that belong to a given WhatsApp group are visible to insiders, hackers, and to anyone with a valid subpoena.) Signal does, however, offer a feature known as safety numbers. It makes it easy for a user to verify the security of messages or calls with specific contacts. When two users verify out-of-band—meaning using a known valid email address or cell phone number of the other—that Signal is displaying the same safety number on both their devices, they can be assured that the person claiming to be Alice is, in fact, Alice. Walz, the former National Security Advisor, failed to follow this crucial step when adding The Atlantic editor-in-chief to a Signal group. That failure resulted in sensitive military plans being sent to someone unauthorized to receive them. No matter what app three or more people use for group messages, it’s crucial that they know the identity behind all fellow group member names. The hurdles for causing the WhatsApp server to add a user to an existing group—either by a malicious insider or someone hacking WhatsApp infrastructure—are high enough that the weakness is likely to be exploited only in extraordinary cases. The fact that the weakness exists at all is a good reason for groups trading truly sensitive messages to steer clear of the app. The researchers previously sent their findings to WhatsApp. WhatsApp didn’t immediately respond to Ars' request for comment. Dan Goodin Senior Security Editor Dan Goodin Senior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 0 Comments