Google Is Letting People Find Invites to Some Private WhatsApp Groups

With particular Google searches, anyone can discover and join hundreds of thousands of WhatsApp groups.

Feb 21 2020, 2:27pmSnap

Google is indexing invite links to WhatsApp group chats whose administrators may want to be private. This means with a simple search, random people can discover and join a wide range of WhatsApp group chats.

"Your WhatsApp groups may not be as secure as you think they are," Jordan Wildon, a multimedia journalist for German outlet Deutsche Welle, tweeted on Friday. Using particular Google searches, people can discover links to the chats, Wildon explained.

Advertisement

App reverse-engineer Jane Wong added in a tweet that Google has around 470,000 results for a simple search of "chat.whatsapp.com," part of the URL that makes up invites to WhatsApp groups.

Motherboard used a number of specific Google searches to find invite links to WhatsApp groups. Some of the groups appear to not be overly sensitive or for a particular audience. Many of the links on Google lead to groups for sharing porn.

But others appear to be catered to specific groups. Motherboard entered one WhatsApp group chat that described itself as being for NGOs accredited by the United Nations. After joining, Motherboard was able to see a list of all 48 participants and their phone numbers.

A screenshot of a WhatsApp group joined by Motherboard. Redaction by Motherboard. Image: Motherboard

Danny Sullivan, Google's public search liaison, tweeted "Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results."

A WhatsApp spokesperson said in a statement, "Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website."

Do you work at WhatsApp? Have you found a sensitive WhatsApp group? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Update: This piece has been updated to include comment from WhatsApp and a tweet from Sullivan.

Subscribe to our cybersecurity podcast, CYBER.

Tagged:

Facebook, Google, united nations, whatsapp, private, NGO, Google search, OSINT, whatsapp groups

More
like this
MEGA Provided Suspended Account Files to FBI in Child Porn Case
Muslim Pro Stops Sharing Location Data After Motherboard Investigation
Cheaters Are Buying 'Call of Duty: Warzone' Accounts to Bypass Security
3 Million Pluto TV Users' Data Was Hacked, But the Company Isn't Telling Them
Inside Amazon’s Secret Program to Spy On Workers’ Private Facebook Groups
Private Intel Firm Buys Location Data to Track People to their 'Doorstep'
LAPD Got Tech Demos from Israeli Phone Hacking Firm NSO Group
CEO of Open Technology Fund Resigns After Closed-Source Lobbying Effort