WhatsApp Group Chat Links Being Indexed By Search Engines
28 Feb 2020
There are approximately 2 billion active WhatsApp users now, but how many of them knew that their WhatsApp group chat links were exposed on the surface web?
Google, Bing, DuckDuckGo, Yandex and various other search engines indexed the invite links to group chats, many of which were intended to be private. This issue was re-discovered accidentally when a multimedia journalist and social media manager Jordan Wildon opened Crowdtangle – content discovery and social monitoring platform.
There were around 470,000 results for "chats.whatsapp.com" inquiry, but since February 21, they have been mostly cleaned up. Still, after finding an abundance of groups, malicious actors had enough time to invite themselves to open groups and mine phone numbers.
“Connecting The World Privately” Headline Aged Like Milk
That exact wording was chosen for the WhatsApp blog publication on February 12.
One week later, security researchers found out about something that has been known for a while, although not given enough attention and care, both from Facebook and the public. Twitter user @stalio said he reported the issue back in 2016. In early November 2019, user @hackrzvijay contacted Facebook with the alert, but was greeted with a good old answer about an “intentional product decision”.
“This bug is not eligible for a bounty,” the answer clarified, elaborating that there’s little they could do about search engine activity.
Danny Sullivan, Google's public search liaison explained that “like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. It’s no different than any case where a site allows URLs to be publicly listed."
The same can be said about Telegram’s non-private groups.
Of course, not all such groups were innocent and harmless, so in some sense, this discovery unveiled just how easy it is to set up a malicious or at least questionable group conversation.
Later on, Jane Manchun Wong tweeted that WhatsApp fixed the oversight by adding the `noindex` meta tag on the chat invitation links. Truly a great example of how one misconfiguration can affect the privacy of millions.
The Biggest Issue With WhatsApp Group Chat Links Oversight
Just like with Google’s “dots don’t matter” policy, not a lot of people know about the issue or care enough to pay attention to it.
Perhaps that would change if they found out that other WhatsApp content can be retrieved using a slightly more creative searching approach. As presented in NixIntel latest blog entry, Google can find backed up WhatsApp images when they have been uploaded to openly accessible servers after the search inquiry intitle: “WhatsApp Images”.
One can expand the search by combining the inurl and intitle parameters to lookup directories containing WhatsApp content such as messages, images, and backups. DCIM input, in particular, can unveil some personal details users wouldn’t want to become public. While this trick is not very effective due to Google Drive and Dropbox being default backup options, this is a case to be informed about.
If ignorance of the law is not a defense, ignorance about the privacy issues of WhatsApp should not be an excuse.
5 Steps To Make Instant Messengers More Secure
- Verify the encryption. Checking encryption keys on the device of your contact and comparing them to those displayed on yours while looking at the contact’s profile is a simple yet effective way to verify the conversation is encrypted.
- Lock the messenger with a password. While not all messengers have this feature, a passcode is extremely useful for protecting your secret chats from someone having physical access to your device.
- Disable cloud backups. In case you reinstall some messengers, they will pull your chat history and media from the cloud, which makes your communication open for inspection by third parties.
- Enable multi-factor authentication. This will help restrict access to your account, asking other people to input additional information to gain access.
- Restrict visibility to outsiders. Choose how your profile photos, statuses, and even live location will be seen to other messenger users. Be warned, read receipts do not work properly when you hide your messenger activity.
Be cautious about other issues of group communication. If you’re willing to learn more about them, StealthTalk recommends you a document called “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema”.
To stay informed about other news like this one, be sure to subscribe to the StealthTalk blog down below. If you have decided to look for alternatives, you can start your free month trial with StealthTalk today.