Don’t count on your private WhatsApp group being as private as you think. An important PSA has been making the rounds today after DW journalist Jordan Wildon noted that using Whatsapp’s “Invite to Group via Link” feature lets groups be indexed by search engines.
Your WhatsApp groups may not be as secure as you think they are.
The "Invite to Group via Link" feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q
— Jordan Wildon (@JordanWildon) February 21, 2020
That makes it surprisingly easy to find some, umm, interesting groups with a simple Google search.
There’s probably a public group for just about any topic you can think of, from animal rescue to the church of satan. After joining, you are able to see participants and their phone numbers.
Developer Jane Manchun Wong noted Google gives about 470,000 results for the chat.whatsapp.com URLs used by group invites.
A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines
It should’ve been `Disallow`ed with robots.txt or with the `noindex` meta tag
thanks @JordanWildon for the tip https://t.co/CJxjJ5qyfh pic.twitter.com/FrW1I9Y8vs
— Jane Manchun Wong (@wongmjane) February 21, 2020
To be clear, this isn’t a glitch or something new to WhatsApp. Google told Motherboard that it will index sites on the open web, and that includes group invites, but it offers “tools allowing sites to block content being listed” in its results.
WhatsApp said that “Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”
There’s just one problem: all it takes is for one member to publicly share a link to potentially compromise everyone else’s privacy. The other member would never know if this happened. It seems WhatsApp would be better off simply not allowing these sites to be indexed via Google’s aforementioned tools. So maybe just think twice before posting sensitive info in a WhatsApp group.
Get the TNW newsletter
Get the most important tech news in your inbox each week.