A WhatsApp design flaw that allows anyone to spy on private group chats has been discovered by security researchers. Despite the service’s end-to-end encryption, experts say hackers can insert people into WhatsApp groups without the permission of the chat’s admin.

In an obvious rejection of the study, Facebook, which owns WhatsApp, has said it won’t fix the problem, and that group chats remain protected by the app’s encryption.

Facebook’s Chief Security Officer Alex Stamos wrote in a series of tweets that the bug is not effective because WhatsApp users are notified when new members join conversations.

 

The study was presented at the Real World Crypto security conference in Zurich, Switzerland, by a group of researchers from Ruhr University Bochum in Germany.

They found that anyone with control over WhatsApp’s servers can add people to private group chats, including staff, hackers and governments who legally demand access.

Once a person has infiltrated a conversation, everyone in the chat automatically shares secret keys with that user. This means they have access to all future messages but cannot view past ones.