The world’s most popular messaging app may claim to be an ultra-secure fortress, but perhaps it may need to have a rethink after a critical WhatsApp security flaw was exposed.

Security researchers from Ruhr University Bochum, Germany have unearthed a number of security vulnerabilities in encrypted messaging apps such as WhatsApp, Signal and Threema. The team revealed their findings at the Real World Crypto security conference Wednesday in Zurich this week. While all three aforementioned apps are affected by one vulnerability or another, the one affecting WhatsApp seems to be the most serious.

According to the researchers, an inherent design flaw in the Facebook-owned chat app lets anyone in control of the WhatsApp servers insert new people into private group chats without needing admin permission, despite promises of end-to-end encryption.

Critical WhatsApp Security Flaw discovered

While every member of the group will still receive notifications about a new member joining the group, the Ruhr University team says that an intelligent hacker in control of WhatsApp servers can use a few different workarounds to avoid, or at least delay, detection.

WhatsApp’s Response

While WhatsApp admitted the findings of the researchers, a company spokesperson in a telephonic conversation with Wired, still insisted that notifications will go out to each existing member about any new entrant to a group. “We built WhatsApp so group messages cannot be sent to a hidden user,” the report quoted a spokesperson as saying on email, about the WhatsApp security flaw.

Meanwhile, Facebook’s Chief Security Officer Alex Stamos dismissed the findings with a public tweet.

Explaining The WhatsApp Security Flaw

The problems arise because of the extent to which a potential attacker could exploit this WhatsApp security flaw. They could block messages from admins or other members who may be trying to alert everyone about the new entrants, by caching messages and then selectively letting some through. A compromised WhatsApp server will also allow the hacker to decide which message gets sent to whom irrespective of the intended recipients.

The process gets a little tougher in groups with multiple admins, where, to make themselves seem like legit entrants into a group, the man-in-the-middle needs to send different messages to each admin, making it seem like another one had invited them to the group. What’s equally alarming is the claim that even after getting spotted as an uninvited guest, the hacker can prevent their expulsion from the group.