WhatsApp groups are showing up on Google search yet again. As a result, anyone could discover and join a private WhatsApp group by simply searching on Google. This was first discovered in 2019, and was apparently fixed last year after becoming public. Another old issue, which also appeared to have been fixed but seems to be cropping up again, is user profiles showing up through search results. People’s phone numbers and profile pictures could be surfaced through a simple a Google search, because of the issue.
By allowing the indexing of group chat invites, WhatsApp is making several private groups available across the Web as their links can be accessed by anyone using a simple search query on Google — although we are not sharing the exact details, this was verified by Gadgets 360. Someone who finds these links can join the groups and would also be able to see the participants and their phone numbers alongside the posts being shared within those groups.
Update: WhatsApp replied to say, “Since March 2020, WhatsApp has included the ‘noindex’ tag on all deep link pages which, according to Google, will exclude them from indexing.” Gadgets 360 was able to confirm that the search results are no longer visible on Google anymore; however, WhatsApp’s statement did not mention this fix. The full statement is at the end of this story. Rajshekhar Rajaharia, who informed about the indexing issue, commented on the statement given by WhatsApp and said, “Adding the ‘noindex’ tag is not a proper solution as links surface again on search results in a a few months. Big tech companies like WhatsApp should look for a proper solution if they really care users’ privacy.”
Private groups on WhatsApp are usually only accessible by those who have been sent an invite link by a moderator. However, these links were indexed by Google, making them discoverable by everyone. The same issue was exposed in February last year.
Following the latest privacy breach, WhatsApp said it has resolved the problem with Google.
“Since March 2020, WhatsApp has included the “noindex” tag on all deep link pages which, according to Google, will exclude them from indexing. We have given our feedback to Google to not index these chats,” the Facebook-owned messaging app said in a statement.
WhatsApp also warned users not to post group chat invite links on publicly accessible websites.
Cybersecurity researcher Rajshekhar Rajaharia tweeted that WhatsApp Web users’ data was being indexed on Google again, pointing out that this was the third time the issue had occurred.
When information is indexed, it can be found in a search engine and made public. As such, companies generally take measures to prevent private data from being indexed.
15 Jan 2021, If you are using @WhatsApp Web, your Mobile Number and Messages are being index by @Google again. Don’t know why WhatsApp is still not monitoring their website and google. This is 3rd time.#Infosec #Privacy #infosecurity #GDPR #Whatsapp #Privacy #Policy #Google pic.twitter.com/D6o1emxDgv
— Rajshekhar Rajaharia (@rajaharia) January 15,2021
He had pointed out a similar issue earlier on Jan 11, where users’ profiles and invitations to join group chats were exposed on Google, which enabled strangers to potentially find users’ phone numbers or even join chats.
In regards to the latest leak, Rajshekhar noted that WhatsApp was using a “Robots.txt” file and a “disallow all” setting, to instruct Google not to index anything.
Though a Robots.txt, or robots exclusion protocol, is generally used to instruct web crawlers (which index pages) to stay away, Google was still indexing WhatsApp user data.
Rajshekhar explained why this was still occurring: Google requires page owners not to use Robots.txt when using the “noindex” tag, as stated in its search indexing help page.
This is because the features clash, with Google unable to detect the “noindex” tag if it was being stopped by Robot.txt.