Search "chat.whatsapp.com" on Google, go a few pages down, and you’ll find hundreds of thousands of links for group chats on the Facebook-owned instant messaging service. The reason? Google indexes anything it can, including links to group chat if they’ve been shared on the open web. The problem is obvious — that means groups you might think are secure actually aren’t.
A journalist in Germany named Jordan Wildon tweeted about the problem on Friday, saying “Your WhatsApp groups may not be as secure as you think they are.” Wildon found that any group link that is shared “outside of secure, private messaging can relatively easily be found and joined.”
The scale of the problem — Another Twitter user with the handle @hackrzvijay reported the issue to Facebook in November last year, but was essentially told it’s not Facebook’s problem because it’s not responsible for search engine crawlers. Meanwhile, app reverse-engineer extraordinaire Jane Manchun Wong says the “misconfiguration by WhatsApp” has enabled Google to index roughly 470,000 group invitation links.
With a little ingenuity, Motherboard was able to find a self-described group for U.N.-accredited NGOs, join it, and view the full list of participants and their phone numbers. On the one hand, yikes. On the other, that’s how publicly shared URLs work. Arguably the bigger problem here is that we’ve decided we can trust services like Whatsapp with our sensitive conversations.
What can you do? — You can manually ask Google not to index the links to your WhatsApp groups, which is laborious. You can also ask everyone in your WhatsApp groups to refrain from sharing links to the group outside of WhatsApp. Or you can stop using WhatsApp already and move to Signal. No points for guessing which of these we recommend.