A DW employee discovered that Google is indexing invite links to WhatsApp group chats. This means with a simple search anyone can discover and join these groups including ones the administrator may want to keep private.
Your WhatsApp groups may not be as secure as you think they are.
The “Invite to Group via Link” feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q
— Jordan Wildon (@JordanWildon) February 21, 2020
Both Wildon and Jane Manchun Wong, who specializes in reverse-engineering apps, agree that it appears the links to private groups may have to be shared online first before being indexed by Google. By making small changes to the URL it may be possible to access groups that aren’t listed, Wildon explained, using a process known as “dorking.”
Facebook, which owns WhatsApp, may have known about this problem at least since November 2019, when they appear to have sent a reply to a user who notified them of the issue.
The reply, apparently from Facebook on November 12, 2019, stated that although the company was surprised that links are indexed by Google, the company “cannot completely control what all search engines, Google, and others, index.”
The screenshot of Facebook’s reply was posted in the thread on Wildon’s tweet. DW is in the process of verifying whether this reply was sent by Facebook.
DW’s Facebook editor Sofia Diogo Mateus said: “The indication that Facebook knew about the issue back in November and the fact the feature has not been disabled means that it is probably a trade-off between enhanced privacy and ease of usability — and Facebook has a history of opting for the latter.”