is popular because its end-to-end encryption gives users warm fuzzies over the privacy
and security of their chats. However, the chat messaging application might not be quite as secure or private as you thought (or at least that was
the case). That's because Google
had been indexing links to group chats, which in turn allowed any Joe or Jane to join and see potentially private information.
Apparently this had been going on for several years. As a result, there were hundreds of thousands of indexed chat group links on the web, all of which were a simple Google search away.
"Your WhatsApp groups may not be as secure as you think they are.
The 'Invite to Group via Link' feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups," journalist Jordan Wildon stated in a Twitter post.
In a related tweet
, app reverse engineer Jane Manchun Wong said Google had indexed around 470,000 results when performing searches for chat.whatsapp.com.
"It should've been 'disallowed with robots.txt or with the 'noindex' mega tag," Wong wrote.
Following the revelation, the folks at Motherboard
did some digging and found a variety of WhatsApp chat groups. Not all of the groups were super sensitive or geared towards a specific audience. However, many of them directed to groups for sharing pornography (go ahead and feign surprise), and some of them were definitely meant to be private.
For example, one of the groups the site found by way of a Google search was one described as being for NGOs accredited by the United Nations. The site joined the group chat and was immediately able to spy a list of dozens of participants, including their phone numbers. Yikes!
WhatsApp's developers know about this, but downplayed the situation.
"Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website," WhatsApp said in a statement.
Regardless of where the fault lies, this is unsettling. On top of it all, another user claims to have alerted Facebook
(which owns WhatsApp) about this in November in hopes of claiming a bug bounty, to which Facebook said it was not eligible, but also admitted that Google was indexing this kind of information.
"I can’t see a beneficial reason as to why any party would see this as a good idea. If anything, it just makes WhatsApp appear less secure. It may be encrypted in the middle, but if you are accepted into a group chat, you have the encryption key to read on," security firm ESET told Forbes in a statement.
Fortunately, it looks like the issue is now fixed. Facebook and Google have not yet issued an updated comment, though as Wong suggested, it looks like the issue has been resolved
was by a combination of adding the "noindex" meta tag on chat invitations, and Google removing existing listings.