Don’t post your private chat links on public platforms! This was long been cried by many security experts if admins care about their participant’s privacy rather than following. A new incident showed tens of thousands of private WhatsApp chat invite links being openly accessible from Google. This is possible due to admins or other participants posting their group’s invite links in public platforms, that are crawled by Google console.
470,000 groups are open to join!
Jordan Wildon, a multimedia journalist of Deutsche Welle, tweeted about WhatsApp group links being openly available in Google. He said,
Your WhatsApp groups may not be as secure as you think they are.
The “Invite to Group via Link” feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q
— Jordan Wildon (@JordanWildon) February 21, 2020
Further, it can allow anyone to join and view contact information of participants in that group. A reverse engineer, Jane Manchun Wong studied this case and said a misconfiguration in WhatsApp is letting Google index links publicly. She even said a remedy for that, by adding Disallow by robots.txt or adding a noindex meta tag.
Vice, who reported this first, said a typical search can garner typical groups, and there are over tens of thousands of groups openly available to join, with few of them being overly sensitive for porn sharing.
Responses
A WhatsApp spokesperson said, “Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”
Further, Google’s Public Search Liaison responded to this incident by a tweet as, “Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results.”