WhatsApp’s recent security shortcomings have raised concerns regarding its group messaging feature, which lacks essential cryptographic management for adding new members. According to a report by Ars Technica, when a group member sends an unsigned message indicating new users to be added, the WhatsApp server notifies all existing group members without authentication. This flaw opens the door for unauthorized individuals to potentially join groups and access sensitive conversations, without any cryptographic verification of membership.
The absence of cryptographic assurances isn’t unique to WhatsApp. Research from 2022 indicated that the Matrix platform, which serves a range of chat and collaboration clients, similarly lacks necessary cryptographic measures to confirm group member status. Furthermore, the Telegram messenger has been identified as offering no end-to-end encryption for group messaging, further compromising user confidentiality.
In stark contrast, Signal, a well-known open source messaging application, implements robust cryptographic group management. Signal’s system requires that only designated group administrators can add new members, utilizing cryptographically signed messages to preserve the integrity of group membership. This design helps prevent unauthorized users—referred to as Malory in theoretical discussions—from gaining access to group chats.
Despite these advancements, a notable issue remains across messaging platforms, including Signal, where user identities are not certified. This loophole allows the possibility for anyone—such as a potential imposter named Malory pretending to be Alice—to take advantage of unverified accounts. Unlike Signal, WhatsApp exposes group member identities, making them vulnerable to both insiders and malicious actors alike.