WhatsApp group invited links and user profiles showed up on Google search when people surveyed using WhatsApp domain. This meant that anyone could find WhatsApp’s private group and join it by simply searching on Google. Further, user profiles also appeared through Google Search results. This is not the first time this is happening, as the same case was also reported in 2019 and was settled last year. While reports from Sunday, January 10 state that one WhatsApp group can be seen inviting user links and profiles through a simple Google search, it appears that the vulnerability is now positioned as Google search with WhatsApp domain, the search engine will not throw away any results.
The chairs and group profiles appeared on Google search results due to WhatsApp’s index of group chat invitations made by several private groups available all over the web as anyone who uses a search query will find simple on Google their links. A person who accompanies these groups would be able to see the participants and their telephone numbers as well as the posts being shared within these groups. Cybersecurity researcher Rajshekhar Rajaharia also highlighted his vulnerability in a Twitter post. “WhatsApp also allows link users to generate a rich preview of group chat invitations that can allow search engine crawlers to identify the links and then index them for future searches , “Rajaharia said. According to the Gadgets 360 report, it seems that indexing has recently started again. The links indexed by Google lead to different types of groups, giving included those dedicated to specific communities or interests, along with groups with messages for Bangla and Marathi users, and some organizations that shared pornography as well.
This issue also surfaced in November 2019, when WhatsApp conversations were first detected on Google Search results. The case was then reported to Facebook by a security investigator, and was settled shortly after receiving much media attention. According to back engineer Jane Manchun Wong, WhatsApp apparently set up a group chat index by putting the meta tag ‘noindex’ on the invite chat. However, the new links include a noindex meta tag.
Along with the group inviting contacts, the profile of WhatsApp users also appears on Google. By searching for country codes on Google along with WhatsApp domains, people’s image URLs, which include phone numbers and profile pictures, could be surfaced. This particular issue was fixed by WhatsApp in June 2020. Although WhatsApp did not confirm this vulnerability, many reports indicated that the issue was, in fact, true.
According to Gadgets 360 report, this vulnerability has recently been made accessible. Google has indexed more than 5,000 profile links, the report said. It is speculated that these vulnerabilities may be a different issue leading to similar results, or a change that unfortunately brought back an old problem.