Invitations to WhatsApp group chats are being indexed by Google, making the invite links —including links to private group chats — discoverable and available to anyone who wants to join, Motherboard reports.
Journalist Jordan Wildon said on Twitter that he discovered that WhatsApp’s “Invite to Group Link” feature lets Google index groups, making them available across the internet since the links are being shared outside of WhatsApp’s secure private messaging service.
Motherboard was able to find private groups using specific Google searches (and the results included a lot of porn-sharing groups). Once they joined a group — which was intended for NGOs accredited by the UN — they had access to all of the participants and their phone numbers.
Group admins can invalidate a link to a chat if they want to, but Wildon says he discovered that, in those situations, WhatsApp only generates a new link; it doesn’t necessarily disable the original link.
We’ve reached out to Google and WhatsApp parent company Facebook to confirm whether this is intentional behaviour or some kind of glitch. We’ll update if we hear back.
WhatsApp, of course, has had its share of security-related headaches in recent months. An alleged hack by Saudi Arabia into Amazon CEO Jeff Bezos’ phone back in 2018 was reportedly carried out via a malware-infected WhatsApp message. Last May, a vulnerability discovered in the app was being used to inject spyware on Android and iOS phones via phone call.