King's College London

A new study reveals that WhatsApp chats are still vulnerable to infiltration by bad actors in control of the application’s servers, despite this risk being identified almost a decade ago.

In a paper presented at EuroCrypt 2025, King’s College London researchers Martin R. Albrecht and Benjamin Dowling with Royal Holloway University of London PhD student Daniel Jones, reverse-engineered the WhatsApp application, a world-first, to study the security guarantees that it provides. In doing so they confirmed a prior finding that WhatsApp provides no cryptographic management for group messages.

First flagged in 2017, the vulnerability means that a hacker who compromises WhatsApp servers can add spies to a group chat, potentially compromising national security. This is also the case for other popular messaging apps like Telegram and Matrix but not Signal.

Dr Benjamin Dowling, a Senior Lecturer in Cryptography in the Department of Informatics, said, “The recent Signalgate scandal has put the security of messaging services like WhatsApp right to the top of peoples’ minds, and while that was a human mistake it does show the danger of people infiltrating groups where sensitive material is discussed.

“By pointing out these vulnerabilities, we hope to encourage WhatsApp to act to protect the security of users.”

The flaw in encryption relates to adding people to a WhatsApp group. When a person wants to add someone to a group, they send a message to the WhatsApp server, which then designates this new person as a member. The server then sends a message to everyone in the group informing them about the addition of the new group member.

However, because WhatsApp has no cryptographic management for group messages and does not limit group changes to existing members of the group, someone with access to the server can push unknown people into a group. 

Professor Albrecht, explains, “Ultimately, this means that any group chat that doesn’t individually verify every new person added could have their messages read.

“Therefore, the onus on securing group chats is on users rather than WhatsApp itself, which can be a huge problem for groups with hundreds of members where that just isn’t feasible.”

The team departed from the WhatsApp white paper which Meta publishes to outline the app’s security protocols, and reverse-engineered the application to formally analyse it – a world first.

The researchers then checked WhatsApp’s claims as outlined in their white paper against their own descriptions of the platform’s cryptographic protocols, which are sets of rules that describe how specific algorithms work to secure data.

The team proved that if attackers could break these protocols and access user data, they could also crack several very difficult computational problems, demonstrating that WhatsApp’s other security claims were true – namely that it did provide end-to-end encryption of messages. This means that WhatsApp and parent company Meta cannot read individual user messages or those sent in group chats.

In a statement responding to the researchers, WhatsApp said: "We’ve reviewed the researchers’ submission and appreciate their work. We’ve designed WhatsApp to bring simple, reliable and private messaging at-scale to billions of people.

“For all groups, you are notified when someone new joins, and you can also enable security notifications that prominently let you know of any security code changes with who you’re chatting with. We’re always adding new layers of protection and we’ll keep doing so."