Imagine discussing important details with your office colleagues on the team’s WhatsApp group, when suddenly a random person joins in. This person now has immediate access to information like the details of group members and the group’s name and profile picture. This was a real issue where discovering your private group chat via Google Search was possible. The issue was fixed back in 2019 but now has surfaced again.
A new report by Internet Security Researcher Rajshekhar Rajaharia (@rajaharia) suggests that WhatsApp groups that use links to allow users to enter, may once again be vulnerable to being found online. This would theoretically allow anyone to join the group. Indian Express verified the vulnerability and can confirm that some WhatsApp groups may be joinable from the web.
Your @WhatsApp groups may not be as secure as you think they are. WhatsApp Group Chat Invite Links, User Profiles Made Public Again on @Google Again.
Story – https://t.co/GK2KrCtm8J#Infosec #Privacy #Whatsapp #infosecurity #CyberSecurity #GDPR #DataSecurity #dataprotection pic.twitter.com/7PvLYuM9xD
— Rajshekhar Rajaharia (@rajaharia) January 10, 2021
Enabling WhatsApp Group Chats to be indexed, allows these links for private groups across the web to be searched for, and joined. This allows searchers to find phone numbers of users along with the profile pictures. Should nobody notice these unwelcome entries into the group, the stranger could then stay hidden for quite some time until someone realizes his/her presence. What’s worse is even after such strangers are kicked out of the group, their brief entry still leaves them with the list of phone numbers in the group.
This has happened before in 2019
Back in 2019, the same issue was found by a security researcher, who reported the matter to Facebook. It was later fixed after the issue became public and attracted a lot of media attention. However, as per a report by Gadgets360, the same groups which were exposed in 2019 are no longer indexable, suggesting that a different issue has led to the bug.
Even user profiles are now indexed on Google
The issue is not just with group invite links but also with individual user account profiles. URLs of people’s profiles can now be searched on Google. This allows strangers to access the profiles of those indexed, displaying their phone numbers, and in some cases, their profile pictures as well. This issue too has taken place before and was reportedly fixed in June 2020. Indian Express has reached out to WhatsApp for a comment on the issue.