Many WhatsApp private groups are indexed in Google and open to the public

Posted on Feb 25, 2020 by Caleb Chen

Many WhatsApp private groups were left exposed on the open web due to a privacy-ignoring configuration error by Facebook’s WhatsApp. The discovery was made by Jordan Wilson, a journalist for DW.com. He noticed that the “Invite to Group via Link” function for WhatsApp private groups creates a link that, when posted on the public internet, ends up being indexed by search engines such as Google, DuckDuckGo, and Bing.

Your WhatsApp groups may not be as secure as you think they are.

The "Invite to Group via Link" feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q

— Jordan Wildon (@JordanWildon) February 21, 2020

That means that many private groups on WhatsApp actually had their doors wide open. When someone enters the group, all phone numbers of group members and previous messages are all laid bare to the newcomer and no permission from existing members is needed.

Why are there search-able WhatsApp private groups?

WhatsApp says they aren’t going to do anything about it because the functionality of private groups works as intended,still. What’s happening here is that private WhatsApp groups have invite links – that’s often how new users are added. However, if that private WhatsApp group’s private invite link gets posted somewhere that Google crawls (which is everywhere online). Essentially, if a member of your group leaks the invite link by posting it on the public internet somewhere, A search engine will find it, and new users will eventually be able to enter your private group.

A WhatsApp spokesperson emphasized to The Independent that this was normal functionality:

“Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”

Facebook has actually known about this issue since November, 2019 – when they received a bug report about it from HackrzVijay.

https://twitter.com/hackrzvijay/status/1230853118490857478

Within a day of media coverage about the lack of privacy surrounding private WhatsApp groups, WhatsApp finally decided to use Google’s -noindex tag for invite links to keep them from being indexed, While Google has stopped indexing these links, other search engines still are indexing them.

What can you do to protect your WhatsApp private group?

Members of private groups should check their members list to see if anyone has snuck in via this method. It’s also wise for group members of any group that’s supposed to be private to have a frank conversation about this possible attack vector. Better yet, consider using a better software that isn’t closed source and owned by a megalithic, privacy-disregarding, advertising company. In case your invite link is already out there, WhatsApp does let you reset the invite link which invalidates the old link. Really paranoid people could even regularly destroy and recreate the private group. However, at that point, they should really just get back to the main point: Don’t use WhatsApp in the first place.