WhatsApp security exposed again over publicly-available group invite links

German online media Deutsche Welle's multimedia journalist, Jordan Wildon, spotted the vulnerability first

The most sought-after instant messaging app WhatsApp is in the news yet again for security concerns. The Facebook-owned app is reportedly exposing users' security due to publicly-available group invite links. The newly-found vulnerability could reveal users' phone numbers and sensitive user details via simple queries through several search engines.

According to a report by SEJ via Motherboard, WhatsApp user security has been exposed due to WhatsApp groups' publicly-available chat links. The links crawled by various search engines will throw up the same results as search query results. This could help a threat actor to search for multiple WhatsApp groups via a simple query and join any WhatsApp chat without the group's admin approval.

whatsapp-security-flaw
Representative Image

WhatsApp groups may not be that secure

The vulnerability was spotted first by German online media Deutsche Welle multimedia journalist Jordan Wildon. He tweeted: "Your WhatsApp groups may not be as secure as you think they are." Later, a reverse app engineer named Jane Wong confirmed finding around 4,70,000 such results in Google itself via a tweet.

While checking the authenticity of the claim, Motherboard found tens and hundreds of group participants' numbers. Jordan wrote: "The "Invite to Group via Link" feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some... interesting... groups."

WhatsApp Vulnerability
A screenshot of WhatsApp group joined by Motherboard Motherboard

"Search engines like Google & others list pages from the open web. That's what's happening here. It's no different than any case where a site allows URLs to be publicly listed," explained Danny Sullivan, Google.

Google removes existing crawling results

After getting reported, Google has removed all the existing crawling results from its search engine to ensure they can't be reached via Google Search. But many links are still available in several other popular search engines like Bing, DuckDuckGo, and Qwant.

The search engines couldn't be held responsible for the massive data leak. The crawlers existing in the search engine look for any publicly available links. It is WhatsApp that should be more concerned about the publicly available data it is keeping to get indexed by search engines.

Related topics : Cybersecurity
READ MORE