German researchers announced that they have discovered errors in WhatsApp's end-to-end encryption. At the Real World Crypto security conference held in Switzerland, the researchers said that anyone who controls WhatsApp's servers can add new members into private group chats, without requiring the group administrator's permission.
The new member would be able to read all new messages, negating the privacy of the group and end-to-end encryption. Speaking to Wired, Paul Rösler, one of the Ruhr University researchers who co-authored a paper on the group messaging vulnerabilities, said "If I hear there's end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little."
This sounds like a serious concern, but this method of controlling WhatsApp servers to gain access to groups, limits the risk factors a little. This reduces the risks to very sophisticated hackers and WhatsApp's own staff - the kinds of people who would be able to exploit this. And even then, all messages previous to the insertion of a new member would remain private.
Facebook’s Chief Security Officer Alex Stamos pointed out that everyone in the group would normally see a message that a new member has joined, so this wouldn't be a stealthy strategy for any type of government spying. He added that the report has been thoroughly reviewed, and though there might be a way to add more protections, it's not very clear.