Over 400K private WhatsApp group invite links are exposed to search engines
WhatsApp is one of the most widely used messaging platforms on the planet. Just this month, the company announced they had passed 2 billion users. Like with other messaging platforms, WhatsApp group chats are a popular way to communicate with your family or groups of friends, colleagues, or Internet strangers. Users can invite others to private groups with the “Invite to Group via Link” feature and then share that link any way they’d like. If those invite links happen to be shared online, it looks like it’s alarmingly easy to find them with a simple search engine query.
Your WhatsApp groups may not be as secure as you think they are.
The “Invite to Group via Link” feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q
— Jordan Wildon (@JordanWildon) February 21, 2020
This design flaw was first reported by journalist Jordan Wildon on Twitter. He discovered that the “Invite to Group via Link” URLs were being indexed by Google and could be found with the right search terms. The group chat links use the “chat.whatsapp.com” base URL, which can be found on Google with the “site:” modifier.
Jane Manchun Wong, known for reverse-engineering apps, brought more attention to the situation. She found that Google has over 470,000 results when doing a simple site search for the “chat.whatsapp.com” URL. Many of these results are invites for private groups. Once a user joins a group, they can see all of the participants and their phone numbers. Obviously, this is a pretty big privacy issue as some of the groups out there are ones people may not want to be publicly associated with.
A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines
It should’ve been `Disallow`ed with robots.txt or with the `noindex` meta tag
— Jane Manchun Wong (@wongmjane) February 21, 2020
Danny Sullivan, Google’s public search liaison, tweeted about the situation, saying: “Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed.” He goes on to say there are tools for webmasters to prevent content from appearing in search results, which WhatsApp clearly needs to do to protect users of these groups.
This is not the fault of Google or any other search engine. As Jane and Danny pointed out, this is due to a lack of foresight on WhatsApp’s part. They should be using the “noindex” meta tag or “norobots.txt” to exclude the invite pages from appearing in search engines.
A WhatsApp spokesperson has released the following statement to Vice:
Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.
WhatsApp is saying that links shared publicly on the internet are searchable, but that’s handwaving the real issue here. This is not a case of people finding a few group chat links that were unwisely shared online. Thousands of group chat invite links are easily discoverable because WhatsApp is refusing to do anything to prevent search engines from indexing them. People shouldn’t be sharing these URLs online, but WhatsApp could solve the problem of them being so easily searchable.