Anyone can join your private WhatsApp group using a simple Google search

Google has indexed the invite links for lots of “private” WhatsApp” groups. So, if you have a private group for your company, your team, or to talk about what Sheila from Accounts did at the Christmas Party – it’s not as secure as you might think.

And if you’re thinking “Meh, this really doesn’t bother me” it’s worth having a think about just how pervasive WhatsApp is and how often it is used for internal messaging and back-channeling even within large organisations. Motherboard tested out the process that was first documented by journalist Jordan Wildon and were able to join a group that was intended for NGOs accredited by the UN. Once they were in they not only had access to all of the participants but all their phone numbers.

How did Google index private WhatsApp groups?

There is a simple root cause to this problem – people sharing invite links on the “public” internet. Forum posts, social media, extranets… even with a basic search of my own I was able to find a huge list of “private” groups.

ProTip: Lots of people are talking about this problem, so the first few pages of Google results will now be blogs talking about this problem - go down past page 4 and you'll find the gold!

This isn’t a case of Google going inside WhatsApps systems, its simply a case of human beings sharing the link without thinking about the ramifications of doing so.

What’s Google Doing About It?

Google are basically doing… nothing. And, to be fair, they probably don’t need to. The links are public because WhatsApp made them public and its WhatsApp’s problem to deal with.

Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed.

Danny Sullivan, Google Search Liason on Twitter.

What Should Google Do About It?

If I were King of Google, I’d probably want to be a bit more proactive about this. Google know what they’ve indexed. They know which of those links has been surfaced in a search engine result and which have been clicked. So, in theory, they should be one database query away from letting users affected by this security problem know that they’ve been affected and that someone, somewhere has been given the opportunity to invite themselves to a private group.

Why won’t Google do this? If I was cynical I would say because WhatsApp is a competitor in the messaging space and Google have been trying to crack messaging for years. If I wanted to be kinder, I would say that doing this, even once, is the thin end of a very big wedge. How many other times could Google be called upon to mine their systems for data to help resolve someone else’s security problem? What level of responsibility would they then have?

Maybe there’s a reason why I’m not running Google after all…

So, what should you do about Google indexing your private WhatsApp group?

If you have a “private” WhatsApp group, it’s potentially already in Google’s index. You can change the invite code through the app, but there will still be one. *Try not to give that one away!*

The important thing to understand here is that this isn’t a security issue for WhatsApp to fix – there are plenty of legitimate reasons you might want to share the link for your WhatsApp group. In my short foray into Googling for WhatsApp groups, I found some enormous lists of groups that actively encourage people to join.

“links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”

Facebook / WhatsApp spokesperson Alison Bonny

What’s happening here is that people are sharing the link and Google are finding it. What’s needed, therefore, is a better understanding of what the public internet is and a better understanding of how to protect “in house” systems from being indexed by Google.

Your post-Google indexed my private WhatsApp/whatever checklist

Google provide clear guidelines on how to stop pages being indexed by Google. The question is whether or not your web-based intranet, extranet, CRM application, etc. actually implements these features or not.

Clearly, in many of the cases affected by this problem, the person who posted the link either

  1. Posted it to a website that should have been secure but wasn’t.
  2. Posted it to a website that they thought was secure, but wasn’t.

As a web developer, I’ve seen this mistake often – a new website is set up on a test server and the developer forgets to update the configuration to prevent Google from indexing it. It’s an easy mistake to make and, arguably, preferable to forgetting to let Google know it can index your website (not that I’ve made that mistake…) but that test site then appears in Google’s index and starts drawing in clicks. Simple to fix with a redirect, but an issue that often goes undetected.

Much to the annoyance of every SEO-loving bone in my body, you can guarantee that if you don't want Google to index it - it will find it. Trust me - Google will seek that content out like an Exocet missile with a bloodhound strapped to the nose-cone.

Working with clients, I’ve often come across scenarios where data that is expected to private in in-house systems has been accidentally exposed to the web. These errors often don’t show up on security scans because security scanners often have to pointed at the thing they are testing. Google, however, goes *everywhere* sniffing out information.

If you’re storing data online or “in the cloud” (which is the same as storing it online but probably cost a bit more and there was a salesperson involved) it’s worth being pro-active and checking that you can’t “deep link” to content on your application. Try taking a URL from your CRM system, intranet, or a “private” part of your website and, in an incognito browser window, see if you can still get to that content.

If you can… Google can.

Leave a Reply