FEBRUARY 23, 2020
WhatsApp is one of those instant messenger apps that has garnered millions of users in just a few years and has managed to maintain its lead in the ‘Most downloaded apps’ section across platforms. Although it is a part of Facebook, over the years it has successfully won the trust of users by keeping its chats ‘encrypted’. A small message in a new chat window even shows that the message is encrypted. But how secure are they really? The questions raises because a few hours ago a report from Vice revealed that it is possible to gain access to private chat groups (content, members and their contacts) on WhatsApp by a simple Google Search. Yep, that’s right.
And Facebook knew about it since months.
If you aren’t aware, private chat groups on WhatsApp are usually accessible through an invite code (the URL) that is sent by the group creators or admins. But as per the report, Google seems to be indexing those URLs (at least some of them) and showing then in search results. This gives anyone the access to those URLs and join the private group.
Reverse app engineer Jane Manchun Wong also tweeted that some 470,000 group invite links have been indexed by Google.
A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines
It should’ve been `Disallow`ed with robots.txt or with the `noindex` meta tag
thanks @JordanWildon for the tip https://t.co/CJxjJ5qyfh pic.twitter.com/FrW1I9Y8vs
— Jane Manchun Wong (@wongmjane) February 21, 2020
Usually one would read this and blame Google for it. But it looks like Facebook-owned WhatsApp is the culprit here. It is worth adding that Google crawls for URLs across the entire web and since a WhatsApp user can share the private group chat link on social media or any other website, it is bound to be there on Google. WhatsApp’s inability to let anyone access that URL and enter a group is something worth questioning.
This piece of information comes from Google Search laison’s Danny Sullivan who tweeted:
Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results: https://t.co/D1YIt228E3
— Danny Sullivan (@dannysullivan) February 21, 2020
Anyone can see the WhatsApp Group chats indexed on Google. All they need to do is to start the search query with “chat.whatsapp.com” followed by a piece of information specific to the chats. Vice was able to find several groups related to sharing porn content as well. And these chat groups not just show the content that is being shared but also the named and contacts of the members that are a part of the group.
What’s worse is that WhatsApp’s parent company Facebook was aware about this security issue ever since November 2019. This comes from a Twitter user named @hackrzvijay, who alerted Facebook about it in order to get some bounty but got a reply from the social media giant stating that it was an “intentional product decision”.
Here’s the full reply:
I reported to facebook in early november pic.twitter.com/QB7pHsz5vu
— HackrzVijay (@hackrzvijay) February 21, 2020
In a statement to Vice, WhatsApp’s spokesperson confirms that such group chat links can be indexed by search engines and that one should not share such links on public forum. “Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”
Courtesy/Source: Hindustan Times