[German]Imagine having a very private conversation with your family via WhatsApp group, where only people are invited to join. And then the whole world can find the group invitation and and join the group, and having the phone numbers of the group members.
Advertising
Personally, I have banned WhatsApp since the European GDPR came into effect for privacy reasons. So I can only test a little, but I think there is enough information for readers.
The WhatsApp Groups and the Google Search Index
WhatsApp has private groups to chat in that you can only join with invitations (invites). A link with an invitation is sent to potential participants. Jordan Wildon, a journalist, happened to notice that the invitation links appear in Google searches. He recently posted the following tweet.
Your WhatsApp groups may not be as secure as you think they are.
The "Invite to Group via Link" feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q
— Jordan Wildon (@JordanWildon) February 21, 2020
Google apparently indexes these WhatsApp invitation links for private groups so that they are searchable. A simple search in Google using terms like:
"Whats" site:https: // chat[.]whatsapp[.]com
brings the collected invitations to the Google search page. The tweet here makes further suggestions. Vice picked up the story here and inspected a WhatsApp group. The group claimed in the description that it was intended for a United Nations accredited NGO organization.
Advertising
(Source: Vice)
After joining, the editor could view a list of all 48 participants and their telephone numbers. The screenshot above shows the overview of the list of participants in this WhatsApp group, where the names and phone numbers of the members appear.
Gets even worse, invite links to CP groups.
How is this shit not taken down yet!@WhatsApp @Facebook pic.twitter.com/2XtFnvDF4o— johan Liebert (@johan_lieber) February 21, 2020
A search seems to provide explosive insights that could also be revealing for prosecutors. A Google request from Vice remained unanswered. A Facebook spokesperson said
Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.
A user already reported this in November 2019 to Facebook, according to the tweet below. So they know about it.
It seems Facebook acknowledged this after @hackrzvijay alerted them, suggesting that admins can invalidate the link.
In the app, I could only generate a new link (which invalidates the old one), but couldn't disable it altogether.https://t.co/AlPtuRxjbN
— Jordan Wildon (@JordanWildon) February 21, 2020
Only the WhatsApp user community seems clueless. Addendum: The same applies to Telegram, as the following tweet suggests.
Same goes for telegram? pic.twitter.com/ytS30E56zX
— Onkar Soundankar (@onkarsoundnkr77) February 21, 2020
But there are private groups in Telegram that are not searchable.
Advertising
