WhatsApp Private Groups Indexed by Google Search Again

• Private Groups of WhatsApp got indexed by Google Search, and that includes the links to join them.
• Unauthorized third-parties could access the groups, see the participants, their phone numbers, and the chat contents.
• WhatsApp has fixed the problem for now, but they accuse Google of giving them the wrong instructions.

It appears that WhatsApp’s engineers are having trouble figuring out how to keep people’s data away from Google Search indexing crawlers, as the private groups in the platform are showing up publicly on the popular search tool. We got the tip about this from researcher Rajshekhar Rajaharia, who discovered and reported the problem to WhatsApp.

The issue was discovered yesterday and got fixed in a couple of hours, yet the exposure element is something that cannot be remediated or retracted now.

Your @WhatsApp groups may not be as secure as you think they are. WhatsApp Group Chat Invite Links, User Profiles Made Public Again on @Google Again.
Story - https://t.co/GK2KrCtm8J#Infosec #Privacy #Whatsapp #infosecurity #CyberSecurity #GDPR #DataSecurity #dataprotection pic.twitter.com/7PvLYuM9xD

— Rajshekhar Rajaharia (@rajaharia) January 10, 2021

The private groups that appeared on Google Search enabled unauthorized users to access them as the entries featured the associated link. By joining the groups, one could see who the other participants are, their phone numbers, and also the content of the chat posts. Of course, to find something specific, one would have to use the targeted keywords, but random “bombing” would still be a sad scenario for the exposed users.

According to the researcher, the problem is that WhatsApp allows users to generate rich preview links of group chat invites. These can eventually lead to indexing since search engine crawlers can identify the links.

Rich preview is available for both the app and the web version of WhatsApp. As R. Rajaharia explains, WhatsApp could very easily use a “robots.txt” file, which is meant to instruct search engine crawlers not to index certain sensitive areas. Still, for reasons unknown, they aren’t.

WhatsApp has responded to the situation with the following official statement:

While the IM company attempts to throw the ball on Google’s court, accusing them of providing false instructions on keeping private information from being indexed, they should know that merely adding the ‘noindex’ tag won’t work for that purpose in the long term. Big companies like WhatsApp should rely on proper solutions, particularly when it comes to user privacy. Maybe it’s just that WhatsApp doesn’t care to give user privacy the attention it deserves anyway.