During the weekend, several media outlets – including Motherboard and Numerama – warned that some WhatsApp newsgroups were particularly permeable. Indeed, it was enough to carry out a search on Google, to click on a link and presto, we could follow the exchanges between the different members. Better still, you could also siphon the phone numbers of all participants. This is how Numerama, for example, was able to recover the numbers of several public figures.
These incursions into private groups are possible due to the “Invite to join the group via a link” functionality. This allows the administrator of a newsgroup to generate a URL that allows anyone to join that group by clicking on it. This invitation address is in the form “https://chat.whatsapp.com/
The concern is that many such links have been indexed by search engines. On Google, you only had to type “site: chat.whatsapp.com” to see a list of 470,000 WhatsApp invitation links. You could even add one or more keywords to refine the search results and, thus, fall on specialized topics.
Why were all these links indexed? Security researcher Jane Manchun Wong says it's due to misconfiguration of WhatsApp servers. This editor should have limited indexing by search engines, for example through the “robots.txt” file. For its part, WhatsApp has blamed the administrators and members of the groups. A spokesperson told Motherboard:
“Like any content shared on publicly searchable channels, invitation links that are publicly posted on the Internet can be found by other WhatsApp users. Links that users want to share privately with people they know and trust should not be published on a publicly accessible website. “
In other words, if these links are found on search engines, it is because they were published somewhere on the Internet. Anyway, things have changed recently. On Google, there is no longer any invitation link referenced to date. For Jane Manchun Wong, this improvement would be the work of WhatsApp, which would finally have made a better configuration of its web servers.
Looks like WhatsApp has fixed it by removing the existing listing from Google and adding the `noindex` meta tag on the chat invitation links! : D pic.twitter.com/kict2bsENu
– Jane Manchun Wong (@wongmjane) February 22, 2020
However, this solution is not perfect, because there are still invitation links on other search engines, such as Bing or Yandex.