Journalist Jordan Wildon said on Twitter that he discovered that WhatsApp’s “Invite to Group Link” feature lets Google index groups, making them available across the internet since the links are being shared outside of WhatsApp’s secure private messaging service.
Invitations to WhatsApp group chats are being indexed by Google, making the invite links —including links to private group chats — discoverable and available to anyone who wants to join, Motherboard reports.
Motherboard was able to find private groups using specific Google searches (and the results included a lot of porn-sharing groups). Once they joined a group — which was intended for NGOs accredited by the UN — they had access to all of the participants and their phone numbers.
Group admins can invalidate a link to a chat if they want to, but Wildon says he discovered that, in those situations, WhatsApp only generates a new link; it doesn’t necessarily disable the original link. WhatsApp group links come with warnings attached, reminding the person who generates the link only to share it with people they trust.
Facebook / WhatsApp spokesperson Alison Bonny said in an email to The Verge that “like all content that is shared in searchable public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users,” adding that “links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”
Google declined to provide comment on the record, but Danny Sullivan, the company’s public liaison for search, tweeted that “Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed.” He included a link to directions in Google’s Help Center for blocking content from being included in search results.
WhatsApp, of course, has had its share of security-related headaches in recent months. An alleged hack by Saudi Arabia into Amazon CEO Jeff Bezos’ phone back in 2018 was reportedly carried out via a malware-infected WhatsApp message. Last May, a vulnerability discovered in the app was being used to inject spyware on Android and iOS phones via phone call.