Many WhatsApp private groups are indexed in Google and open to the public

Posted on Feb 25, 2020 by Caleb Chen
Share Tweet

Many WhatsApp private groups were left exposed on the open web due to a privacy-ignoring configuration error by Facebook’s WhatsApp. The discovery was made by Jordan Wilson, a journalist for He noticed that the “Invite to Group via Link” function for WhatsApp private groups creates a link that, when posted on the public internet, ends up being indexed by search engines such as Google, DuckDuckGo, and Bing.

That means that many private groups on WhatsApp actually had their doors wide open. When someone enters the group, all phone numbers of group members and previous messages are all laid bare to the newcomer and no permission from existing members is needed.

Why are there search-able WhatsApp private groups?

WhatsApp says they aren’t going to do anything about it because the functionality of private groups works as intended,still. What’s happening here is that private WhatsApp groups have invite links – that’s often how new users are added. However, if that private WhatsApp group’s private invite link gets posted somewhere that Google crawls (which is everywhere online). Essentially, if a member of your group leaks the invite link by posting it on the public internet somewhere, A search engine will find it, and new users will eventually be able to enter your private group.

A WhatsApp spokesperson emphasized to The Independent that this was normal functionality:

“Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”

Facebook has actually known about this issue since November, 2019 – when they received a bug report about it from HackrzVijay.

Within a day of media coverage about the lack of privacy surrounding private WhatsApp groups, WhatsApp finally decided to use Google’s -noindex tag for invite links to keep them from being indexed, While Google has stopped indexing these links, other search engines still are indexing them.

What can you do to protect your WhatsApp private group?

Members of private groups should check their members list to see if anyone has snuck in via this method. It’s also wise for group members of any group that’s supposed to be private to have a frank conversation about this possible attack vector. Better yet, consider using a better software that isn’t closed source and owned by a megalithic, privacy-disregarding, advertising company. In case your invite link is already out there, WhatsApp does let you reset the invite link which invalidates the old link. Really paranoid people could even regularly destroy and recreate the private group. However, at that point, they should really just get back to the main point: Don’t use WhatsApp in the first place.

About Caleb Chen

Caleb Chen is a digital currency and privacy advocate who believes we must #KeepOurNetFree, preferably through decentralization. Caleb holds a Master's in Digital Currency from the University of Nicosia as well as a Bachelor's from the University of Virginia. He feels that the world is moving towards a better tomorrow, bit by bit by Bitcoin.

VPN Service