Researchers from Ruhr-Universität Bochum (RUB) in Germany have discovered that anyone who controls the encrypted messaging apps' servers, can spy on any of their private chat groups.

End-to-end encryption protocol is meant to protect messages by securing instant messaging services like Whatsapp and Signal.

Its primary reason, is to make no one, not even the company that transmits the data itself, to be able to decrypt messages.

But the researchers here said that there is a flaw that allows them to spy on group conversations without being detected. What this means, in a worse-case scenario, a corrupt employee can eavesdrop on the end-to-end encrypted communication by any mean.

The researchers described the flaw, saying that it affects group chats. Multi-user chat where messages are encypted, are broadcasted to all of the group's members. What this means, the role of the servers increases to manage the process.

The flaw doesn't affect pairwise communications where only two users communicate because the server playss a very limited role.

Read: WhatsApp Introduces End-To-End Encryption: Creating A Wall Between Itself And Users

As explained in the published RUB paper, titled "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema,", it described how both WhatsApp and Signal have failed to properly authenticate who is adding a new member to a chat group.

It is possible that an unauthorized person who isn't a group administrator or even a member of the group, can add someone to the group chat, without anyone knowing.

According to the researchers, a compromised administrator or rogue employee with access to the encrypted apps' servers could manipulate (or block) the group management messages that are supposed to alert group members of a newly included member.

"The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group," the paper reads.

"Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally, the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces."

WhatsApp has acknowledged the issue, but argued that if any new member is added to a group by any means, other group members will get notified for sure.

"We've looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user," said a WhatsApp spokesperson. "The privacy and security of our users is incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted."

Moxie Marlinspike, a security researcher who developed Signal, which then licenses its protocol to WhatsApp, said that the app design is reasonable, and that the report only sends a message to others not to “build security into your products, because that makes you a target for researchers, even if you make the right decisions.”

The backdoor that could allow someone to spy group conversations has raised questions over the security of users' conversations. While this is a big issue for users to use encrypted messaging apps for chats, the trick is not easy to execute.

But still, the researchers are advising the companies to fix the issue by adding an authentication mechanism to make sure that the "signed" group management messages come from the group administrator only.