WhatsApp glitch leaves 470,000 private groups vulnerable

A glitch on WhatsApp purportedly indexes private groups on Google, allowing their details to be easily found on the internet.



A glitch in the Facebook-owned messaging application WhatsApp has left over 470,000 group chats on the app vulnerable and open. Simply put, your group chat may not be as private as you think.

The ‘Invite to Group via Link’ feature, which allows users to add others into group chats via a URL link, has seen many WhatsApp group conversation links indexed on Google, essentially rendering many group chats open to anybody who happens to find the link for them.

In some cases, group chats can be targeted and found via a brute-force search method.

Journalist Jordan Wildon took to Twitter to voice his discovery.



He added that “any group link that is shared it outside of secure, private messaging can relatively easily be found and joined.”

Group admins do have the option to invalidate an existing link on the app, but Wildon also discovered that WhatsApp only generates a new link; the original link isn’t necessarily disabled. Users are warned only to share the link with trusted persons, but the sender can’t always guarantee the link stops with the receiver.

Motherboard, after using Google searches to find invite links to WhatsApp groups, stumbled upon a group chat intended for UN-accredited NGOs. After joining, Motherboard was able to view the names and phone numbers of each participant. 

Facebook/WhatsApp spokesperson Alison Bonny told The Verge via email that “like all content that is shared in searchable public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users.” She also reminded that links users wish to share privately should not be posted on a publicly accessible website.

While no word from Google on the matter has arisen, Google’s public liaison for search Danny Sullivan tweeted “Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed.” He added that Google does have tools sites can use to block content being listed in search results, providing a link on how to go about it.

This isn’t the only time recent memory that WhatsApp has been in the news for the wrong reasons. In 2018, the Prince of Saudi Arabia allegedly hacked Amazon CEO Jeff Bezo’s phone via a malware-armed WhatsApp message. May of 2019 saw Facebook urging users to update the application as swiftly as possible after they discovered that a vulnerability within the app’s code had been exploited – attackers were able to install spyware on iPhones and Androids just by calling said phone via WhatsApp.





Share via