- Private Groups of WhatsApp got indexed by Google Search, and that includes the links to join them.
- Unauthorized third-parties could access the groups, see the participants, their phone numbers, and the chat contents.
- WhatsApp has fixed the problem for now, but they accuse Google of giving them the wrong instructions.
It appears that WhatsApp’s engineers are having trouble figuring out how to keep people’s data away from Google Search indexing crawlers, as the private groups in the platform are showing up publicly on the popular search tool. We got the tip about this from researcher Rajshekhar Rajaharia, who discovered and reported the problem to WhatsApp.
The issue was discovered yesterday and got fixed in a couple of hours, yet the exposure element is something that cannot be remediated or retracted now.
The private groups that appeared on Google Search enabled unauthorized users to access them as the entries featured the associated link. By joining the groups, one could see who the other participants are, their phone numbers, and also the content of the chat posts. Of course, to find something specific, one would have to use the targeted keywords, but random “bombing” would still be a sad scenario for the exposed users.
According to the researcher, the problem is that WhatsApp allows users to generate rich preview links of group chat invites. These can eventually lead to indexing since search engine crawlers can identify the links.
Rich preview is available for both the app and the web version of WhatsApp. As R. Rajaharia explains, WhatsApp could very easily use a “robots.txt” file, which is meant to instruct search engine crawlers not to index certain sensitive areas. Still, for reasons unknown, they aren’t.
WhatsApp has responded to the situation with the following official statement:
"Since March 2020, WhatsApp has included the "noindex" tag on all deep link pages, which, according to Google, will exclude them from indexing. We have given our feedback to Google to not index these chats. As a reminder, whenever someone joins a group, everyone in that group receives a notice, and the admin can revoke or change the group invite link at any time. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”
While the IM company attempts to throw the ball on Google’s court, accusing them of providing false instructions on keeping private information from being indexed, they should know that merely adding the ‘noindex’ tag won’t work for that purpose in the long term. Big companies like WhatsApp should rely on proper solutions, particularly when it comes to user privacy. Maybe it’s just that WhatsApp doesn’t care to give user privacy the attention it deserves anyway.