After a cybersecurity researcher pointed out the WhatsApp Security vulnerability in a Twitter post, WhatsApp is in a damage control mode. Read on to know more…
Imagine discussing important details with your office colleagues on the team’s WhatsApp group, when suddenly a random person joins in. This anonymous person now has immediate access to information like the details of group members and the group’s name and profile picture. This was a real issue where discovering your private group chat via Google Search was possible.
WhatsApp groups are showing up on Google search yet again. As a result, anyone could discover and join a private WhatsApp group by simply searching on Google. It was reported that over 1,500 group invite links were appearing in search results. These links were, however, no longer appearing in search results now.
WhatsApp Security Vulnerability
By allowing the indexing of group chat invites, WhatsApp is making several private groups available across the Web as their links can be accessed by anyone using a simple search query on Google — although we are not sharing the exact details. Someone who finds these links can join the groups and would also be able to see the participants and their phone numbers along with the profile pictures and the posts being shared within those groups. Should nobody notice these unwelcome entries into the group, the stranger could then stay hidden for quite some time until someone realizes his/her presence. What’s worse is even after such strangers are kicked out of the group, their brief entry still leaves them with the list of phone numbers in the group.
In a Twitter post, Independent cybersecurity researcher Rajshekhar Rajaharia pointed out to the WhatsApp security vulnerability. “Your @WhatsApp groups may not be as secure as you think they are. WhatsApp Group Chat Invite Links, User Profiles Made Public Again on @Google Again,” Rajaharia said in a Twitter post.
WhatsApp Damage Control Exercise
WhatsApp clarified today that it has been taking steps to prevent the Google indexing of its users and group invites. The WhatsApp’s clarification came after cybersecurity researcher Rajshekhar Rajaharia pointed out to the vulnerability in a Twitter post.
“Since March 2020, WhatsApp has included the “noindex” tag on all deep link pages which, according to Google, will exclude them from indexing. We have given our feedback to Google to not index these chats. As a reminder, whenever someone joins a group, everyone in that group receives a notice and the admin can revoke or change the group invite link at any time” a WhatsApp spokesperson said.
“Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website” the spokesperson added.
WhatsApp further added, “As a reminder, whenever someone joins a group, everyone in that group receives a notice and the admin can revoke or change the group invite link at any time.”
WhatsApp said that the indexing issue has been resolved.
Repeatation of Old Issues
This was first discovered in 2019, and was apparently fixed last year after becoming public. Another old issue, which also appeared to have been fixed but seems to be cropping up again, is user profiles showing up through search results. People’s phone numbers and profile pictures could be surfaced through a simple a Google search, because of the issue.
The latest indexing error is a repeat of February 2020 when Google and WhatsApp had received a lot of criticism as some public groups, along with chats and member information, started showing up on Google search results. The issue was claimed to be resolved back then.
WhatsApp Multi Issues