This post was originally published on February 25, 2020.
Up until a few days ago, if anyone had created a link to invite people to a WhatsApp group via the “Invite to Group Link,” someone could find it with a Google search and join it.
DW journalist Jordan Wildon discovered that WhatsApp group invite links were indexed by Google, thereby making the group publicly visible for anyone with WhatsApp to join.
Your WhatsApp groups may not be as secure as you think they are.
The "Invite to Group via Link" feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q
— Jordan Wildon (@JordanWildon) February 21, 2020
The Facebook-owned messaging app, which now has 2 billion users, had apparently neglected to mark generated links as ‘no-index’ preventing them from showing up on search engines like Google in the first place.
[Learn more about how to protect your privacy online. Sign up for the ExpressVPN blog newsletter.]
The security risks don’t end there. Motherboard reporter Joseph Cox joined an alleged WhatsApp group of UN staffers and was able to pore over a lot of personally identifiable information, like the names and phone numbers of group members.
New: Google is letting anyone find invite links to some private WhatsApp groups. Here is one we joined that is supposed to be for United Nations NGOs judging by its description. Can see members and get numbers https://t.co/TzWjqQmm2P pic.twitter.com/jda25POc0h
— Joseph Cox (@josephfcox) February 21, 2020
Before WhatsApp fixed this error, security researcher Jane Wong found hundreds of thousands of private WhatsApp groups by searching site:https://chat.whatsapp.com. This has now been fixed on Google, but some WhatsApp groups are still showing up on smaller search engines like Bing, DuckDuckGo, Yandex, and AOL.
A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines
It should’ve been `Disallow`ed with robots.txt or with the `noindex` meta tag
thanks @JordanWildon for the tip https://t.co/CJxjJ5qyfh pic.twitter.com/FrW1I9Y8vs
— Jane Manchun Wong (@wongmjane) February 21, 2020
It’s currently not clear just how much personal information was available, or for how long this loophole was left unrectified (it could be as far back as 2016!).
If you’re in a WhatsApp group and have privacy concerns, we recommend you take the following steps:
- Know that creating a WhatsApp group can put its participants at risk. Anyone in the group can still create the link to invite people, and the invite link can only be refreshed, not disabled.
- Avoid posting anything sensitive in a WhatsApp group, period. Opt for an encrypted email service or an encrypted messaging service to send that information.
- Rip the bandaid and stop using WhatsApp altogether. Use Signal instead, an open-source, encrypted messaging service that has all the features you want in a messaging app and will not generate a searchable link for your group.
