WhatsApp group invite links and user profiles were showing up on Google search when people searched using WhatsApp’s domain. This meant that anyone could discover and join a private WhatsApp group by simply searching for it on Google. Further, user profiles were also showing up through Google Search results. This is not the first time this is happening, as the same issue was reported in 2019 as well and was fixed last year. While reports from Sunday, January 10 say that one can see WhatsApp group invite links and user profiles via a simple Google search, it seems that the vulnerability has now been fixed as upon searching Google with WhatsApp domain, the search engine does not throw any results.
The group chats and profiles were showing on Google search results due to WhatsApp’s indexing of group chat invites that makes several private groups available across the web as their links can be accessed by anyone using a simple search query on Google. A person who joins these groups would be able to see the participants and their phone numbers alongside the posts being shared within those groups. Cybersecurity researcher Rajshekhar Rajaharia also pointed out to the vulnerability in a Twitter post. “WhatsApp also allows users to generate rich preview links of group chat invites that eventually may allow search engine crawlers to identify the links and then index them for future searches,” Rajaharia said. According to a Gadgets 360 report, indexing seems to have started again recently. The links indexed by Google lead to different kind of groups, including those dedicated to specific communities or interests, along with groups with messages for Bangla and Marathi users, and some groups that were sharing pornography also.
This issue also came up in November 2019, when WhatsApp chats were initially found on Google Search results. The issue was reported to Facebook then by a security researcher, and was fixed soon after it gained significant media attention. According to reverse engineer Jane Manchun Wong, WhatsApp had apparently fixed group chat indexing by adding the ‘noindex’ meta tag on the chat invite links. However, the fresh links do include the noindex meta tag.
Alongside the group invite links, WhatsApp users’ profile is also showing on Google. By searching for country codes on Google along with WhatsApp’s domain, the URLs of people’s profiles could be surfaced, which includes phone numbers and profile picturres. This particular issue was fixed by WhatsApp in June 2020. While WhatsApp did not confirm this vulnerability, a lot of reports indicated that the issue was, in fact, true.
According to the Gadgets 360 report, this vulnerability was also made recently accessible. Google indexed over 5,000 profile links, the report said. While it was being speculated that these vulnerabilities could be a different issue leading to similar results, or a change that unintentionally brought back an old problem, WhatsApp sent out a statement saying that it has sent its feedback to Google to not index these chats. “Since March 2020, WhatsApp has included the “noindex” tag on all deep link pages which, according to Google, will exclude them from indexing. We have given our feedback to Google to not index these chats. As a reminder, whenever someone joins a group, everyone in that group receives a notice and the admin can revoke or change the group invite link at any time,” Google said in its statement.