Updated: January 11, 2021 1:08:41 pm
Update: The issue where WhatsApp group links were being indexed on Google appears to have been resolved.
Imagine discussing important details with your office colleagues on the team’s WhatsApp group, when suddenly a random person joins in. This person now has immediate access to information like the details of group members and the group’s name and profile picture. This was a real issue where discovering your private group chat via Google Search was possible. The issue was fixed back in 2019 but now has surfaced again.
A new report by Internet Security Researcher Rajshekhar Rajaharia (@rajaharia) suggests that WhatsApp groups that use links to allow users to enter, may once again be vulnerable to being found online. This would theoretically allow anyone to join the group. Indian Express verified the vulnerability and can confirm that some WhatsApp groups may be joinable from the web.
Your @WhatsApp groups may not be as secure as you think they are. WhatsApp Group Chat Invite Links, User Profiles Made Public Again on @Google Again.
Story – https://t.co/GK2KrCtm8J#Infosec #Privacy #Whatsapp #infosecurity #CyberSecurity #GDPR #DataSecurity #dataprotection pic.twitter.com/7PvLYuM9xD
— Rajshekhar Rajaharia (@rajaharia) January 10, 2021
Enabling WhatsApp Group Chats to be indexed, allows these links for private groups across the web to be searched for, and joined. This allows searchers to find phone numbers of users along with the profile pictures. Should nobody notice these unwelcome entries into the group, the stranger could then stay hidden for quite some time until someone realizes his/her presence. What’s worse is even after such strangers are kicked out of the group, their brief entry still leaves them with the list of phone numbers in the group.
“Since March 2020, WhatsApp has included the “noindex” tag on all deep link pages which, according to Google, will exclude them from indexing. We have given our feedback to Google to not index these chats. As a reminder, whenever someone joins a group, everyone in that group receives a notice and the admin can revoke or change the group invite link at any time. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website,” the company said in a statement.
This has happened before in 2019
Back in 2019, the same issue was found by a security researcher, who reported the matter to Facebook. It was later fixed after the issue became public and attracted a lot of media attention. However, as per a report by Gadgets360, the same groups which were exposed in 2019 are no longer indexable, suggesting that a different issue has led to the bug.
User profiles indexed on Google
The issue is not just with group invite links, but also with individual user account profiles. URLs of people’s profiles can now be searched on Google. This allows strangers to access the profiles of those indexed, displaying their phone numbers, and in some cases, their profile pictures as well. This issue too has taken place before and was reportedly fixed in June 2020. Indian Express has reached out to WhatsApp for a comment on the issue.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines
- The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.