WhatsApp group invite links, user profiles accessible via Google search
In a disturbing development, several WhatsApp private groups and user profiles are showing up on Google search, compromising the privacy of users. The issue has happened due to the indexing of some group chat invite links, which allows anyone to access and join a private group by searching on Google. This issue was fixed in 2020 but seems to have resurfaced.
Understanding the issue
Google indexes or stores a webpage after its crawler ("Googlebot") analyzes the content and meaning of the page. These indexed pages are then shown in Google Search results. So, by allowing the indexing of group chat invite links, WhatsApp is making these groups accessible to anyone on the web who can find their links by a simple search query.
Personal information like contact numbers and pictures can be compromised
Whoever finds these invite links, can easily join the group and gain access to the chats as well as personal information of all the participants, including their contact numbers and profile pictures. However, whenever a new person joins a group, all participants receive a notification and the admin can remove the unwelcomed entrant or change the group invite link at any time.
"Since March 2020, WhatsApp has included the "noindex" tag on all deep link pages which, according to Google, will exclude them from indexing. We have given our feedback to Google to not index these chats," a WhatsApp spokesperson said. At present, it is unclear if WhatsApp is at fault or Google's crawler made an error by indexing some "noindex" links.
According to WhatsApp's spokesperson, "Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users." Hence, invite links should be shared privately and not be posted on public websites.
Cybersecurity researcher suggests WhatsApp has not adopted proper solutions
Meanwhile, according to cybersecurity researcher Rajshekhar Rajaharia, WhatsApp had not included the "robots.txt" file for its chat.whatsapp.com subdomain. This led to the indexing of group chat invite links as well as user profiles on Google and other search engines. Rajaharia claims developers generally use a "robots.txt" with web domains to clearly tell search engine crawlers to not analyze and index such links.