Google is indexing invite links to WhatsApp group chats whose administrators may want to be private. This means with a simple search, random people can discover and join a wide range of WhatsApp group chats.
"Your WhatsApp groups may not be as secure as you think they are," Jordan Wildon, a multimedia journalist for German outlet Deutsche Welle, tweeted on Friday. Using particular Google searches, people can discover links to the chats, Wildon explained.
App reverse-engineer Jane Wong added in a tweet that Google has around 470,000 results for a simple search of "chat.whatsapp.com," part of the URL that makes up invites to WhatsApp groups.
Motherboard used a number of specific Google searches to find invite links to WhatsApp groups. Some of the groups appear to not be overly sensitive or for a particular audience. Many of the links on Google lead to groups for sharing porn.
But others appear to be catered to specific groups. Motherboard entered one WhatsApp group chat that described itself as being for NGOs accredited by the United Nations. After joining, Motherboard was able to see a list of all 48 participants and their phone numbers.
Danny Sullivan, Google's public search liaison, tweeted "Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results."
A WhatsApp spokesperson said in a statement, "Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website."
Do you work at WhatsApp? Have you found a sensitive WhatsApp group? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Update: This piece has been updated to include comment from WhatsApp and a tweet from Sullivan.
Subscribe to our cybersecurity podcast, CYBER.