Published: February 22, 2020 12:10:01 pm
Your private WhatsApp group invite links are not so private. A simple Google search will reveal links to join these groups, including details of group members such as phone numbers in some cases.
This was first discovered by Deutsche Welle journalist Jordan Wildon, who revealed on Twitter that the “Invite to Group via Link” feature allows WhatsApp groups is indexed by Google.
It does raise an issue given this would mean anyone can find a link to a WhatsApp Group and join it. WhatsApp however, noted this is not a flaw as such.
App reverse-engineer Jane Wong, who also posted a screenshot on Twitter, was able to see close to 470,000 WhatsApp groups results when using search of “chat.whatsapp.com” on Google.
A WhatsApp spokesperson told Vice said in a statement, “Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”
Vice reported that Motherboard could access WhatsApp groups as well, which many were for sharing porn. Meanwhile, it was able to access phone numbers of all 48 participants of a WhatsApp group claiming to be NGOs accredited by the United Nations.
Google’s public search liaison Danny Sullivan explained in a reply to Wildon’s tweet that the company does offer tools that allow sites to block content that can be listed in Search results.
“Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results,” Sullivan’s tweet read.
According to Wong, though there are simple technical tools to avoid this kind of indexing from happening.
Meanwhile, Twitter user @hackrzvijay claimed he revealed the WhatsApp private group chat link bug to Facebook early November, though the company responded saying “the links being accessible by anyone was an intentional product decision”.
He also posted the response letter from Facebook that largely seems to blame Google for indexing the links. It suggests group admins invalidate links to avoid indexing.
Express Tech is now on Telegram. Click here to join our channel (@expresstechie) and stay updated with the latest tech news
WhatsApp private group invite links were rolled out as a security feature where group admins can send a private message with the invitation link to the group to users whom they want to add to the group. A user needs to approve whether they are interested in joining a group on WhatsApp to which they have been invited. The invite link expires after three days.
Your WhatsApp groups may not be as secure as you think they are.
The “Invite to Group via Link” feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q
— Jordan Wildon (@JordanWildon) February 21, 2020
Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results: https://t.co/D1YIt228E3
— Danny Sullivan (@dannysullivan) February 21, 2020
A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines
It should’ve been `Disallow`ed with robots.txt or with the `noindex` meta tag
— Jane Manchun Wong (@wongmjane) February 21, 2020
I reported to facebook in early november pic.twitter.com/QB7pHsz5vu
— HackrzVijay 💻 (@hackrzvijay) February 21, 2020
But with the links being publicly available, as reports have revealed, it does raise issues around who can join the group. In some cases admins might not even know who all have joined a group, thanks to the link being public.
While WhatsApp and Google do not view it as a flaw, for admins this only means an extra headache as it would be better now to double check who all are in the group.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines
© IE Online Media Services Pvt Ltd