“The group chat invite links vulnerability has long been argued since they were accessible publicly and can turn ugly if they fall into the wrong hands”
WhatsApp Groups have a feature of sharing invite links with users to join them. Group admins can revoke these links at any point. Now, in an interesting turn of events, Google had indexed these private WhatsApp group chat invite links, letting anyone join them with a simple, relevant search, according to a report by Motherboard. The links were accessible by searching site:chat.whatsapp.com. However, the Mountain View giant seems to have modified the search results to stop the invite links from being surfaced in the search results. The invite links vulnerability has long been argued since they were accessible publicly and can turn ugly if they fall into the wrong hands.
Furthermore, Motherboard claims to have found numerous private groups with relevant Google searches and even joined a UK accredited NGO group, gaining access to participants and their contact details. Commenting on this, Alison Bonny, a WhatsApp spokesperson, said, “Like all content that is shared in searchable public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. The links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.“
Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results: https://t.co/D1YIt228E3— Danny Sullivan (@dannysullivan) February 21, 2020
Danny Sullivan, Google’s public search liaison, on Twitter, said, “Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed.” Surprisingly, a security researcher claims he had reported to Facebook back in November, but the company turned it down, saying that it was an intentional product decision.