While chat apps are generally encrypted end-to-end these days there are still some really simple vulnerabilities that can happen. Facebook-owned WhatsApp has had one become public in the last couple of days.
Your WhatsApp groups may not be as secure as you think they are.
The "Invite to Group via Link" feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q
— Jordan Wildon (@JordanWildon) February 21, 2020
The issue is that group chats were (now resolved) being indexed by Google’s search engine. What that means is that the invite link to your private group or groups may be publicly available on the Internet. Not only that but – in theory at least – anyone who has that link could join a private chat group.
Until the early hours of this morning, visiting site:chat.whatsapp.com would show a searchable index of hundreds of thousands of group chats. The simple fact is that this could have been avoided by simply having a “noindex” tax on the page — a small oversight with potentially huge repercussions for privacy and safety.
If you follow the conversation trail on the above tweet, you’ll find that the issue was actually reported in November 2019 so this isn’t news to Facebook.
I reported to facebook security in early november pic.twitter.com/KSfsd8SYxt
— HackrzVijay 💻 (@hackrzvijay) February 21, 2020
In researching this issue, a statement made to Vice news by WhatsApp acknowledged the issue. In a bad move they also made an attempt to mask it as a deliberate decision, despite the fact that even private groups were indexed.
Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.
It seems this was an avoidable error, and one that should have been fixed quickly followed by a public mea culpa. Is it one that will have you direct your messaging to another platform or does your confidence in WhatsApp remain steady?