It raises concerns that sensitive conversations, such as the WhatsApp group set up by women at Westminster to discuss alleged sexual harassment by MPs, could be infiltrated by outsiders.
"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them", explained Paul Rösler, one of the Ruhr University researchers who co-authored a paper which detailed the vulnerability.
But this new flaw means it would now technically be possible to infiltrate group messages, bypassing encryption.
He objected to the report saying that WhatsApp has multiple ways to check and verify members in a group chat.
With over 1.2 billion monthly active users, WhatsApp is available in more than 50 different languages around the world and in 10 Indian languages.
While WhatsApp boasts great end-to-end encryption of messages which is great for those who crave privacy - but a source of chagrin for many in the law enforcement community - it seems the messaging service is susceptible to attacks on user privacy.
On the surface level, WhatsApp, which is owned by Facebook, looks to have a pretty big security flaw.
In response to the study, Facebook, which owns WhatsApp, has said it won't fix the problem, and that group chats "remain protected" by the app's encryption. The server then checks that the user is authorized to administer that group, and (if so), it sends a message to every member of the group indicating that they should add that user. That immediately limits the potential of the exploit to employees, sophisticated hackers or governments who can convince the firm to give them access - but the risk is still there, and rather negates the value of WhatsApp's encryption.
"While our investigation focuses on three major instant messaging applications, our methodology and the underlying model is of generic objective and can be applied to other secure group instant messaging protocols as well", researchers concluded in the paper. "The main exception to this is former group members, who already know the group ID - and can now add themselves back to the group with impunity". Existing members are notified when new people are added to a WhatsApp group. Additionally, shared messages can be encrypted too.
Given the alternatives, I think that's a pretty reasonable design decision, and I think this headline pretty substantially mischaracterizes the situation.
The main problem is this: end-to-end encryption, which all of these messaging apps purport to offer, should not depend on uncompromised servers. "Entering the group however leaves traces since this operation is listed in the graphical user interface", the paper states, though it adds that the flaws also allow the attacker to hide their tracks.