Anyone can see private WhatsApp groups through Google
WhatsApp groups reappear in Google search. As a result, anyone can discover and join a private WhatsApp group simply by searching Google. This was first discovered in 2019 and apparently fixed last year after going public. Another old problem, which also seemed to have been fixed but seems to be showing up again, is that user profiles appear in search results. People’s phone numbers and profile photos could show up through a simple Google search, due to the problem.
By allowing indexing of group chat invitations, WhatsApp is making several private groups available on the web, as their links can be accessed by anyone using a simple search query at Google – although we are not sharing the exact details, this was verified by Gadgets 360. Anyone who finds these links can join the groups and will also be able to see the participants and their phone numbers along with the posts that are shared within those groups.
Cybersecurity researcher Rajshekhar Rajaharia informed Gadgets 360 about the indexing of WhatsApp group chat invitations on Google. Indexing seems to have started again recently. At the time of writing, there were more than 1,500 group invitation links available in search results.
Some of the links indexed by Google lead to WhatsApp groups that share porn. In some other cases, there were links to WhatsApp groups dedicated to a specific community or interest. Gadgets 360 also found groups that share messages for Bengali and Marathi users. With the links, people who were not invited could easily join the groups.
This is not the first time this problem has occurred. In November 2019, WhatsApp group chat invitations were initially found in Google search results. The issue was reported to Facebook by a security researcher, although it was resolved shortly after covered by various media in February last year.
Reverse Engineer Jane Manchun Wong reported that WhatsApp had apparently fixed the indexing of the group chat by adding the meta tag ‘noindex’ in the chat invitation links. However, the new links include the noindex meta tag.
Group chat links exposed in 2019 are not visible on Google, so this could be a different issue leading to similar results, or a change that unintentionally caused a previous issue.
Rajaharia told Gadgets 360 that WhatsApp had not included the particular robots.txt file for the chat.whatsapp.com subdomain which led to the indexing of group chat invitations on Google and other search engines. Web developers typically use a robots.txt file to tell search engine crawlers which pages or files they can crawl and which they should not index.
WhatsApp makes user profiles public on Google
Along with the group invite links, WhatsApp appears to have allowed Google to again index user profiles so that anyone can chat with a user or view their profile picture.
When searching for country codes in the WhatsApp domain, the URLs of people’s profiles might appear, which included phone numbers and profile pictures. This problem seemed to have been fixed by WhatsApp in June of last year: The company had not issued a statement at the time, but several reports also confirmed this.
we found that similar to indexing group chat invitations, WhatsApp user profiles are also accessible again on Google during the last few hours. The search engine has already indexed more than 5,000 profile links. Some links also lead to users who have enabled their profile pictures and statues for anyone in the messaging app.
Cybersecurity researcher Rajaharia discovered the indexing of WhatsApp user profiles on Google. You noticed that, like group chat invites, there is no particular robots.txt file for the api.whatsapp.com subdomain to tell search engine crawlers not to crawl your related links.