WhatsApp fixes bug that leaked private groups and user profiles on Google Search

The WhatsApp bug comes at a time when the popular chat application is facing heat for its updated privacy policy and terms of services.

Highlights
  • WhatsApp had not included the robots.txt file for ‘chat.whatsapp.com’ subdomain, leading to the indexing of groups and profiles
  • Over 1,700 WhatsApp group invite links and around 7,000 profiles were accessible in Google Search results
  • WhatsApp has now fixed the bug and the links are no longer appearing in search results

WhatsApp has fixed a bug that surfaced private groups and user profiles on Google Search. This comes in a time when the popular chat application is facing heat for its updated privacy policy and terms of services that plan to share more user data with Facebook. The bug, which was spotted by cybersecurity researcher Rajshekhar Rajaharia, allowed users to join a private WhatsApp group, then see the participants and phone numbers along with updates shared in the group. Rajaharia told Economic Times that over 1,700 group invite links and over 7,000 profiles were accessible via Google Search results.

Also read: WhatsApp privacy policy: how the new changes affect you, the average WhatsApp user

Furthermore, while some of these groups were dedicated to specific interests and communities, few others were shabby. The security researcher says that WhatsApp had not included the robots.txt file for ‘chat.whatsapp.com’ subdomain, which eventually led to the indexing of these groups and profiles. Robots.txt is used by developers to tell search engine crawlers which pages can or cannot be processed from the websites. However, WhatsApp has now fixed the bug and the links are no longer appearing in search results. 

WhatsApp mute video

Since March 2020, WhatsApp has included the “noindex” tag on all deep link pages which, according to Google, will exclude them from indexing. We have given our feedback to Google to not index these chats. As a reminder, whenever someone joins a group, everyone in that group receives a notice and the admin can revoke or change the group invite link at any time. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website,” a WhatsApp spokesperson said.

A similar WhatsApp bug first surfaced back in 2019 due to a misconfiguration by the chat application. This made search engines index more than 470,000 group invites. It was pointed out by Jane Manchun Wong and was fixed last year.