WhatsApp has had its own security issues such as the alleged hack of Jeff Bezos phone by Sudi Arabia and the vulnerability that allowed malicious actors to inject spyware on iOS and Android phones via a phone call. This latest mishap should scare you a bit. WhatsApp’s invite links to private chat groups are searchable on most search engines. This makes them discoverable and literally anyone can join them.
Jordan Wildon, a journalist for Germany-based DW News discovered this privacy flaw and took to Twitter. The “Invite to Group Link” WhatsApp feature let Google and other search engines index the groups making them visible across the internet.
Your WhatsApp groups may not be as secure as you think they are.
The "Invite to Group via Link" feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q
— Jordan Wildon (@JordanWildon) February 21, 2020
It should be worrying as the invite links are shared outside of WhatsApp’s secure private messaging app.
This is scary as you can refine your searches and easily find interesting groups.
I see some very interesting #OSINT possibilities out there with a little Dorking. https://t.co/VhFUvbOQGe
— Zerconil (@zerconil) February 21, 2020
This issue had been raised but as usual, Facebook-owned WhatsApp kept it lowkey.
Of course they downplayed the significance of the issue…
— Jane Manchun Wong (@wongmjane) February 21, 2020
Vice’s Motherboard went deep and even joined groups such as an NGO groups accredited by the UN. Vice now had access to all of the group participants phone numbers.
WhatsApp is so incompetent that even when admins invalidate that invite link, the app creates a new link and doesn’t disable the old link.
However, the app cautions the person or admin generating the link to share it with people they trust.
“Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed,” said Danny Sullivan, Google’s public search liaison in a tweet.
Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results: https://t.co/D1YIt228E3
— Danny Sullivan (@dannysullivan) February 21, 2020
It is WhatsApp’s fault not Google’s
For what it's worth, I read the headline with "letting" as suggesting we allowed something that we shouldn't have let happen. In reality, all we did was list pages on the open web that weren't blocked to us, which is exactly how search engines are supposed to work….
— Danny Sullivan (@dannysullivan) February 22, 2020
What Google is doing
Danny Sullivan added a link to directions in Google’s Help Center for blocking content from being included in search results
Anyway, maybe it will help raise awareness of how and why sites may wish to block content. We have extensive help docs on this: https://t.co/D1YIt228E3 pic.twitter.com/xOdeTkSvoo
— Danny Sullivan (@dannysullivan) February 22, 2020
Flaw Fixed
WhatsApp has since fixed this flaw by removing the existing listing from Google and adding the noindex meta tag on the chat invitation links.
However, when you use other search engines such as Yandex, Bing and DuckDuckGo, you’ll find the links still listed.
It's great to see WhatsApp taking steps to fix the oversight. It's only the first steps though, because, as an open web,
the search results are still listed on other search engines like Yandex, Bing and DuckDuckGo pic.twitter.com/hTth6HciEe
— Jane Manchun Wong (@wongmjane) February 22, 2020
Here’s what WhatsApp could’ve done better
WhatsApp could've prevented their group invite links from appearing on search engines like Google by specifying it in a file called "robots.txt" or including the specific info in the webpagehttps://t.co/RYWh84GpP3
— Jane Manchun Wong (@wongmjane) February 21, 2020
Here’s What You can do
Google has a tool that will tell its earch engine to not index the links to your WhatsApp groups. But headsup, its a taxing process.
You can also ask group members in your chat to not share links outside of WhatsApp.
Another option is to stop using WhatsApp, not just of its security issues but also the lack of features its other better and more private chat apps have such as Telegram, Wickr Me and Signal.
What about other private messaging apps
Telegram links are also listed on search engines even though the app has private groups that aren’t searchable.
If noindex tags are added to pages, our Remove URLs Tool can be used by a site owner to speed up getting them dropped. It can be very fast. More about it here: https://t.co/vA6eGsQoKJ
— Danny Sullivan (@dannysullivan) February 22, 2020
Privacy Apps You Should Download Right Now!
