A lot of talk went down yesterday about a new way to exploit WhatsApp and bypass the end-to-end encryption the company likes to mention that it has. I've seen tweets and comments that run the gamut from "it's FUD" to talking about some backdoor that Facebook had installed.

The good news is that it's neither. In fact, you don't need to be concerned about it, and instead, it is one of those things that make you wonder how it ever happened in the first place. But don't worry — it will be fixed long before anything happens.

What it is

Researchers Paul Rösler, Christian Mainka, and Jörg Schwenk at Ruhr-Universität in Bochum, Germany released a research paper that found a peculiar flaw in WhatsApp's group chat administration. WhatsApp offers the same end-to-end encryption for group chats that it does for individual chats, and that usually means we should be able to feel safe in knowing that the things we say won't be read by anyone who shouldn't be reading it.

Apparently, it's theoretically possible for a stranger to add themselves to a group chat on WhatsApp.

WhatsApp offers group messaging that uses strong end-to-end encryption.

In a WhatsApp group chat one or more of the original members is an administrator. From the server's point of view, that means that these people are able to add and remove people from the group. Everything is good so far, even though the way it works — an administrator sends a signal to every member of the group with his or her signing keys and in return, each member sends a return message with their signing keys then the originator of the message notifies each member that there is now a new person in the group — is a bit of a kludge in order to create a good user interface. If you're not an administrator, the only thing you know is that you see a message that a new person is now a member of the group. You can either accept that or leave the chat.

A similar flaw was found with group messaging through Signal.

The problem is that WhatsApp isn't properly authenticating these group management requests on its own servers. A WhatsApp server needs to properly ID the sender of a message that would add a person to a group chat. The person sends a message that IDs both the group and the member it wishes to add, and the server checks to make sure the person who sent it is actually a chat administrator. These messages aren't end-to-end encrypted, and instead use standard transport encryption — the message coming from a chat administrator and going to a server that requests a user be added to a chat is not signed by the sender with their encryption key.

This means a WhatsApp server can add any user it wants to any group, at any time. The server can, not another user. That's important, and it means any privacy expected in a WhatsApp group chat depends solely on trusting the WhatsApp chat server. That defeats the entire purpose of end-to-end encryption, which is designed so privacy is guaranteed even if a server is compromised because only the sender and recipient can decrypt a message.

This shouldn't be a big deal but still needs fixing

The only way this flaw can be exploited is by someone with access to the server. That means a server gets compromised, or an employee goes rogue, or a three-letter government agency files a warrant. Any of those things could happen, might have happened in the past, and could even be happening right now. But one other thing needs to be considered — you'll know if it happens to your chat.

You are notified whenever a person is added to a group chat, encrypted or not.

The first thing that a server does after a member is added is notify every other member of the group that "XXX Person was added to the chat." When a new person arrives at the private chat party, and nobody invited him, that's going to be a sign that something's wrong and nobody should consider anything they are about to type as private. Pack up and move to another chat and maybe even a different service.

So nobody is going to be able to secretly check out your encrypted group chat, but this still undermines end-to-end encryption. It needs to be fixed right away, and maybe even the whole group management method needs to be revamped.

What you need to do

Nothing, really. Appreciate the work done by Rösler, Mainka, and Schwenk in finding this flaw because security researching is a thankless and often mind-numbing job. A method of authenticating the request to add a member to an encrypted group chat will be sorted out by the folks who keep WhatsApp's wheels spinning, and this will change from a flaw that will never be exploited to a flaw that can no longer be exploited at all.

What's important is that you were paying attention, because the next flaw might very well be one that does need action on your part.

Latest And Best Prime Day Deals

The Ring Alarm security system is reaching new low prices for Prime Day
Ring Alarm home security systems

Various configurations of the Ring Alarm are discounted to their best prices yet exclusively for Prime members at Amazon through Tuesday night to help keep your home secure.

The Sonos Beam Prime Day deal includes a $40 discount and 2 $50 Amazon gift cards
The Sonos Beam Prime Day deal includes a $40 discount and $100 in Amazon gift cards
$359.00 $499.00 Save $140

That's just so much savings in one deal. You'll have to wait for the physical gift cards, but that's basically $100 to spend however you want.

Prime Day dropped this PlayStation 4 console bundle to just $250
PlayStation 4 Slim 1TB console with Marvel's Spider-Man and Horizon Zero Dawn
$249.99 $359.98 Save $110

This deal on the PlayStation 4 Slim console saves you $50 off its regular price while also including Marvel's Spider-Man and Horizon Zero Dawn Complete Edition for free. You'll just need an Amazon Prime membership to snag it.

The newest device in the Echo family, the Show 5, is now down to just $50
Echo Show 5
$49.99 $89.99 Save $40

It's only been on the market since May, but it hasn't escaped the Prime Day price cuts.

Amp up your home security with these huge Prime Day discount on nearly all Ring products
Save on Ring products today only

Whether you need a video doorbell, whole home alarm system, or some lights to brighten a dark area, Amazon has it all marked down today!

These huge price drops on the entire Galaxy S10 lineup might be one of the best Prime Day phone deals we'll see
Samsung Galaxy S10 128GB unlocked Prism Black Android smartphone
$599.99 $900.00 Save $300

We love the Galaxy S10, and we love deals. This combines two of our true loves in one!

Scour Amazon Warehouse's deals to save an extra 20% on tech and more through Prime Day
Extra 20% off Amazon Warehouse

Amazon Warehouse sells a myriad of items in varying conditions, from refurbished to open-box, used, warehouse-damaged, and more. It's a great place to snag a deal, and now Prime members can save an extra 20% off select items at checkout.

There's never been a better deal on the Ring Video Doorbell 2 than this pre-Prime Day offer
Ring Video Doorbell 2 (Certified Refurbished)
$89.99 $169.99 Save $80

Amazon is taking $80 off the certified refurbished Ring Video Doorbell 2, which lets you see and speak with visitors at your front door no matter where you are in the world.

More Prime Day Deals