Google was publicly indexing your private WhatsApp groups, and no one knows for how long

Some search engines are still showing results for WhatsApp groups
Privacy news
1 min
Google search results page with whatsapp icons showing WhatsApp links..

This post was originally published on February 25, 2020.

Up until a few days ago, if anyone had created a link to invite people to a WhatsApp group via the “Invite to Group Link,” someone could find it with a Google search and join it.

DW journalist Jordan Wildon discovered that WhatsApp group invite links were indexed by Google, thereby making the group  publicly visible for anyone with WhatsApp to join.

The Facebook-owned messaging app, which now has 2 billion users, had apparently neglected to mark generated links as ‘no-index’ preventing them from showing up on search engines like Google in the first place.

[Learn more about how to protect your privacy online. Sign up for the ExpressVPN blog newsletter.]

The security risks don’t end there. Motherboard reporter Joseph Cox joined an alleged WhatsApp group of UN staffers and was able to pore over a lot of personally identifiable information, like the names and phone numbers of group members.

Before WhatsApp fixed this error, security researcher Jane Wong found hundreds of thousands of private WhatsApp groups by searching site:https://chat.whatsapp.com. This has now been fixed on Google, but some WhatsApp groups are still showing up on smaller search engines like Bing, DuckDuckGo, Yandex, and AOL.  

It’s currently not clear just how much personal information was available, or for how long this loophole was left unrectified (it could be as far back as 2016!).

If you’re in a WhatsApp group and have privacy concerns, we recommend you take the following steps:

  1. Know that creating a WhatsApp group can put its participants at risk. Anyone in the group can still create the link to invite people, and the invite link can only be refreshed, not disabled.
  2. Avoid posting anything sensitive in a WhatsApp group, period. Opt for an encrypted email service or an encrypted messaging service to send that information.
  3. Rip the bandaid and stop using WhatsApp altogether. Use Signal instead, an open-source, encrypted messaging service that has all the features you want in a messaging app and will not generate a searchable link for your group.
Ceinwen focused on digital privacy, censorship, and surveillance, and has interviewed leading figures in tech.