WhatsApp groups are showing up on Google search yet again. As a result, anyone could discover and join a private WhatsApp group by simply searching on Google. This was first discovered in 2019, and was apparently fixed last year after becoming public. Another old issue, which also appeared to have been fixed but seems to be cropping up again, is user profiles showing up through search results. People’s phone numbers and profile pictures could be surfaced through a simple a Google search, because of the issue.
By allowing the indexing of group chat invites, WhatsApp is making several private groups available across the Web as their links can be accessed by anyone using a simple search query on Google — although we are not sharing the exact details, this was verified by Gadgets 360. Someone who finds these links can join the groups and would also be able to see the participants and their phone numbers alongside the posts being shared within those groups.
Update: WhatsApp replied to say, “Since March 2020, WhatsApp has included the ‘noindex’ tag on all deep link pages which, according to Google, will exclude them from indexing.” Gadgets 360 was able to confirm that the search results are no longer visible on Google anymore; however, WhatsApp’s statement did not mention this fix. The full statement is at the end of this story. Rajshekhar Rajaharia, who informed about the indexing issue, commented on the statement given by WhatsApp and said, “Adding the ‘noindex’ tag is not a proper solution as links surface again on search results in a a few months. Big tech companies like WhatsApp should look for a proper solution if they really care users’ privacy.”
Cybersecurity researcher Rajshekhar Rajaharia informed Gadgets 360 about the indexing of WhatsApp group chat invites on Google. The indexing seems to have started again quite recently. At the time of writing, there were over 1,500 group invite links available in search results.
Some of the links indexed by Google lead to WhatsApp groups sharing porn. In a few other cases, there were links to WhatsApp groups dedicated to specific community or interest. Gadgets 360 also found groups sharing messages for Bangla and Marathi users. With the links, people who weren’t invited could easily join the groups.
This isn’t the first time that this issue has happened. In November 2019, WhatsApp group chat invites were initially found on Google search results. The issue was reported to Facebook by a security researcher, though it was resolved soon after it was covered by several news outlets in February last year.
Reverse engineer Jane Manchun Wong reported that WhatsApp had apparently fixed group chat indexing by adding the ‘noindex’ meta tag on the chat invite links. However, the fresh links do include the noindex meta tag.
The group chat links exposed in 2019 time are not visible on Google, so this could be a different issue leading to similar results, or a change that unintentionally brought back an old problem.
Rajaharia told Gadgets 360 WhatsApp hadn’t included the robots.txt file particularly for chat.whatsapp.com subdomain that led to indexing of group chat invites on Google and other search engines. Web developers normally use a robots.txt file to tell search engine crawlers which pages or files they could crawl and which they shouldn’t for indexing.
WhatsApp making user profiles public on Google
Alongside group invite links, WhatsApp seems to have allowed Google again to index user profiles to let anyone chat with a user or look at their profile picture.
By searching for country codes on WhatsApp’s domain, the URLs of peoples profiles could be surfaced, which included phone numbers and profile pictures. This issue appeared to have been fixed by WhatsApp in June last year — the company had not issued a statement at the time but multiple reports had also confirmed this.
Gadgets 360 found that similar to the group chat invites indexing, WhatsApp user profiles are also again accessible on Google for the last few hours. The search engine already indexed over 5,000 profile links. Some links also lead to the users who have enabled their profile pictures and statues to anyone on the messaging app.
Cybersecurity researcher Rajaharia discovered the indexing of WhatsApp user profiles on Google. He noticed that just like the group chat invites, there is no particular robots.txt file for the api.whatsapp.com subdomain to tell search engine crawlers to not crawl its related links.
“Since March 2020, WhatsApp has included the “noindex” tag on all deep link pages which, according to Google, will exclude them from indexing. We have given our feedback to Google to not index these chats. As a reminder, whenever someone joins a group, everyone in that group receives a notice and the admin can revoke or change the group invite link at any time.
Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.” – WhatsApp spokesperson
What will be the most exciting tech launch of 2021? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.
0 Comments