WhatsApp has had its own security issues such as the alleged hack of Jeff Bezos phone by Sudi Arabia and the vulnerability that allowed malicious actors to inject spyware on iOS and Android phones via a phone call. This latest mishap should scare you a bit. WhatsApp’s invite links to private chat groups are searchable on most search engines. This makes them discoverable and literally anyone can join them.
Jordan Wildon, a journalist for Germany-based DW News discovered this privacy flaw and took to Twitter. The “Invite to Group Link” WhatsApp feature let Google and other search engines index the groups making them visible across the internet.
https://twitter.com/JordanWildon/status/1230829082662842369
It should be worrying as the invite links are shared outside of WhatsApp’s secure private messaging app.
This is scary as you can refine your searches and easily find interesting groups.
I see some very interesting #OSINT possibilities out there with a little Dorking. https://t.co/VhFUvbOQGe
— Zerconil 🔻 (@zerconil) February 21, 2020
This issue had been raised but as usual, Facebook-owned WhatsApp kept it lowkey.
Of course they downplayed the significance of the issue…
— Jane Manchun Wong (@wongmjane) February 21, 2020
Vice’s Motherboard went deep and even joined groups such as an NGO groups accredited by the UN. Vice now had access to all of the group participants phone numbers.
WhatsApp is so incompetent that even when admins invalidate that invite link, the app creates a new link and doesn’t disable the old link.
However, the app cautions the person or admin generating the link to share it with people they trust.
“Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed,” said Danny Sullivan, Google’s public search liaison in a tweet.
https://twitter.com/dannysullivan/status/1230921450598461440
It is WhatsApp’s fault not Google’s
https://twitter.com/dannysullivan/status/1231132501617172482
What Google is doing
Danny Sullivan added a link to directions in Google’s Help Center for blocking content from being included in search results
https://twitter.com/dannysullivan/status/1231135830887944192
Flaw Fixed
WhatsApp has since fixed this flaw by removing the existing listing from Google and adding the noindex
meta tag on the chat invitation links.
However, when you use other search engines such as Yandex, Bing and DuckDuckGo, you’ll find the links still listed.
It's great to see WhatsApp taking steps to fix the oversight. It's only the first steps though, because, as an open web,
the search results are still listed on other search engines like Yandex, Bing and DuckDuckGo pic.twitter.com/hTth6HciEe
— Jane Manchun Wong (@wongmjane) February 22, 2020
Here’s what WhatsApp could’ve done better
WhatsApp could've prevented their group invite links from appearing on search engines like Google by specifying it in a file called "robots.txt" or including the specific info in the webpagehttps://t.co/RYWh84GpP3
— Jane Manchun Wong (@wongmjane) February 21, 2020
Here’s What You can do
Google has a tool that will tell its earch engine to not index the links to your WhatsApp groups. But headsup, its a taxing process.
You can also ask group members in your chat to not share links outside of WhatsApp.
Another option is to stop using WhatsApp, not just of its security issues but also the lack of features its other better and more private chat apps have such as Telegram, Wickr Me and Signal.
What about other private messaging apps
Telegram links are also listed on search engines even though the app has private groups that aren’t searchable.
https://twitter.com/dannysullivan/status/1231127219897950209