PSA: Don’t Post Links to Private WhatsApp Groups

Although WhatsApp is well-known for its security and end-to-end encryption, posting links to WhatsApp groups can open the entire group to the internet....
PSA: Don’t Post Links to Private WhatsApp Groups
Written by Matt Milano
  • Although WhatsApp is well-known for its security and end-to-end encryption, posting links to WhatsApp groups can open the entire group to the internet.

    Jordan Wildon, a journalist with DW News, first noticed that Google was indexing WhatsApp invitation links.

    Your WhatsApp groups may not be as secure as you think they are.

    The “Invite to Group via Link” feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups.

    — Jordan Wildon (@JordanWildon) February 21, 2020

    Following his tweet, Jane Manchun Wong—who specializes in reverse engineering apps to uncover security flaws—confirmed the issue.

    A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines

    It should’ve been Disallowed with robots.txt or with the noindexmeta tag

    thanks @JordanWildon for the tip

    — Jane Manchun Wong (@wongmjane) February 21, 2020

     

    Motherboard did further testing and was able to join a variety of groups, including one that claimed to be “NGOs accredited by the United Nations.” Motherboard was able to see all of the group participants and their phone numbers.

    Google has said there is nothing wrong with what’s occurring, and this is a simple case of their search engine indexing publicly available information, just as it would any other source.

    In a statement to Motherboard, WhatsApp confirmed that stance: “Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”

    The takeaway here is that if users want to keep their WhatsApp groups private, they shouldn’t share access via public links. Doing so essentially serves as an open invitation, only requiring someone to put forth the time and effort to find such groups.

    Get the WebProNews newsletter delivered to your inbox

    Get the free daily newsletter read by decision makers

    Subscribe
    Advertise with Us

    Ready to get started?

    Get our media kit