A worrying new discovery about WhatsApp Group Chats has been made recently – it turns out that those so-called private groups can be found by just about anyone who uses the Internet. It is even possible for a complete stranger to join these groups and access the contact information of all the participants.
This is because of the ‘Invite to Group via Link’ feature in WhatsApp. There are two ways admins can add people to groups. They can ‘Add Participants’ by opening ‘Group Info’ in the app and directly clicking on the phone contacts they want to invite. Or they can share a link or QR code to the group.
The second option is actually a worrying security hole which opens the door for mischief makers as well as governments to spy on citizens if they wish it. This is because if an admin or a participant in a private group shares the link on a public platform on the Internet, search engines can find it and index it.
And then anyone with a tiny bit of info about searching the Internet efficiently, can use specific terms to discover these compromised ‘private’ WhatsApp chats. They can even join such groups and see the phone numbers of all the participants. The revelation comes courtesy of Deutsche Welle journalist Jordan Wildon, through his Twitter account.
Your WhatsApp groups may not be as secure as you think they are.
The "Invite to Group via Link" feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q
— Jordan Wildon (@JordanWildon) February 21, 2020
As you can see from the discussions thread in the tweet posted below by app reverse-engineer Jane Wong, Facebook was allegedly made aware of the issue in November 2019 but insisted that it was not their problem. Admins can reset the link (see first image) when they want to stop accepting new people into their WhatsApp chat groups.
But if there was any danger of private group chats being indexed by search engines and compromising participants’ personal details, Facebook should have been shouting about it from rooftops and making people aware of it. Or it should have made provisions to prevent WhatsApp from being crawled.
How to Make Private WhatsApp Groups More Secure –
Make your private WhatsApp group more secure by resetting the link to it in case you shared it with anyone. Do this by opening the group chat, clicking on Group Info > Invite to Group via Link > Reset Link. And in the future, add people’s phone numbers to your contacts so you can ‘Add Participants’ to groups directly instead of sending them link invites.
If you’ve made a group and added someone as admin, there are chances they might have shared an invite link on the web. So don’t assign multiple admins to your group, or at least only add people you trust as admins.
A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines
It should’ve been `Disallow`ed with robots.txt or with the `noindex` meta tag
thanks @JordanWildon for the tip https://t.co/CJxjJ5qyfh pic.twitter.com/FrW1I9Y8vs
— Jane Manchun Wong (@wongmjane) February 21, 2020
UPDATE: WhatsApp appears to have removed hundreds of group chat invite links from Google. They are however still available through other search engines.