WhatsApp bug made group chats accessible via simple Google search

WhatsApp bug

Controversy continues to loom over WhatsApp, as the popular instant messaging app suffered a security bug where private group chats seem to be appearing on Google searches, leaving room for anyone to join them.

The issue first surfaced back in 2020 and was quickly fixed, but has now resurfaced once more, allowing private user data such as profile pictures and phone numbers to be accessible to anyone via simple Google Search.

The issue was first brought to light by Indian cybersecurity expert and entrepreneur Rajshekhar Rajaharia who suggested that WhatsApp groups that use links to allow users to enter, may once again be vulnerable to being found online.

According to a statement by WhatsApp, the bug has been fixed; however, over 1,500 group invite links were available in search results before the issue was patched up.

“Since March 2020, WhatsApp has included the ‘noindex’ tag on all deep link pages which, according to Google, will exclude them from indexing. We have given our feedback to Google to not index these chats. As a reminder, whenever someone joins a group, everyone in that group receives a notice and the admin can revoke or change the group invite link at any time,” the statement from the instant messaging app said.

It also added that, like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users.

“Links that users wish to share privately with people they know, and trust should not be posted on a publicly accessible website,” the statement added.

However, many cybersecurity experts consider that merely adding the ‘noindex’ tag is not enough to become a permanent solution as links continue to surface again on search results in a few months.

“Big tech companies like WhatsApp should look for a proper solution if they really care for users’ privacy,” Rajaharia was quoted as saying.

First appearing in February 2020, the bug was uncovered by app reverse-engineer Jane Wong who found that Google has around 470,000 results for a simple search of “chat.whatsapp.com”, part of the URL that makes up invites to WhatsApp groups.

In response, Danny Sullivan, Google’s public search liaison, had tweeted back then that “Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results.”

The resurface of this bug comes at a time where WhatsApp, and its parent company Facebook, face public backlash following their announcement of a change in their privacy policy that would see the platform force its user to either hand in their private data or have their accounts deleted.

Under the terms of the new policy, Facebook will be able to collect users’ data from the app such as their phone number, email address, contacts, location, device ID, user ID, advertising data, purchase history, product interaction, payment info, crash, performance, and other diagnostic data, customer support, and metadata.

Users who refuse to comply with the updated policy – that will come into effect as of February 8 – will lose their chats, contacts, and access to the app as a whole. The update will be visible in the form of an in-app notification, which users can choose to ignore until the date arrives.

Since then, WhatsApp’s rivals, Telegram and Signal, have witnessed a spike in downloads as users have begun migrating toward more secure and private instant messaging apps.