WhatsApp Group Chat Invite Links Indexed by Google Search, Let Anyone Enter Private Groups
Google appears to have stopped showing results for the particular search that served group chat invite results.
Controversy broke when a report on Friday revealed Google had indexed invite links to private WhatsApp group chats, meaning anyone can join various private chat groups (including several porn-sharing groups) with a simple search. Google since appears to have modified the search results to stop the invite links from being shown.
According to a report in Motherboard, invitations to WhatsApp group chats were being indexed by Google. Gadgets 360 was able to independently verify the existence of indexed invite links to private WhatsApp groups by searching for “site:chat.whatsapp.com” in Google after the report broke. In the hours following the report however, Google appears to have stopped showing results for that search, instead returning the message “Your search – site:chat.whatsapp.com – did not match any documents.” We’ve reached out to Google to comment on the removal.
The vulnerability of chat invite links has long been discussed, since if access to the publicly shareable links gets into the wrong hands, anyone can enter a group.
RELATED: PUBG V6.2 Update
The Motherboard team found private groups using specific Google searches and even joined a group intended for NGOs accredited by the UN and had access to all the participants and their phone numbers.
Journalist Jordan Wildon said on Twitter that he discovered that WhatsApp’s “Invite to Group Link” feature lets Google index groups, making them available across the internet since the links are being shared outside of WhatsApp’s secure private messaging service.
“Your WhatsApp groups may not be as secure as you think they are,” Wildon tweeted on Friday, adding that using particular Google searches, people can discover links to the chats.
According to app reverse-engineer Jane Wong, Google has around 470,000 results for a simple search of “site: chat.whatsapp.com”, part of the URL that makes up invites to WhatsApp groups.
WhatsApp spokesperson Alison Bonny said: “Like all content that is shared in searchable public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users.”
“The links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website,” Bonny told The Verge.
Danny Sullivan, Google’s public search liaison, tweeted: “Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results.”
The issue was reported to Facebook as far back as November, a security researcher claims.
A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines
It should’ve been `Disallow`ed with robots.txt or with the `noindex` meta tag
thanks @JordanWildon for the tip https://t.co/CJxjJ5qyfh pic.twitter.com/FrW1I9Y8vs
— Jane Manchun Wong (@wongmjane) February 21, 2020
https://twitter.com/hackrzvijay/status/1230853118490857478
Importantly, the indexed search results were also reported to contain several instances of child porn sharing groups, as per a Twitter user. The existence of the child porn problem on WhatsApp has long been reported, and the company has gone through lengths to claim it is working on fixing.
On an FAQ page from earlier this month about how WhatsApp helps fights child exploitation, the company writes “WhatsApp has a zero-tolerance policy around child sexual abuse. We ban users from WhatsApp if we become aware they are sharing content that exploits or endangers children… To help prevent sharing of child exploitative imagery (CEI), WhatsApp relies on all available unencrypted information including user reports to detect and prevent this kind of abuse. Over the last three months, WhatsApp has banned approximately 250,000 accounts each month suspected of sharing CEI… For example, we use photo-matching technology called PhotoDNA to proactively scan profile photos for known CEI. Should our systems detect such an image, we will ban the user and associated accounts within a group.”