Update, February 21, 2020 (03:20 PM ET): It turns out that Facebook has been well aware for months of this private WhatsApp chat flaw. Thanks to twitter user @hackrzvijay, we know that Facebook was notified back in November 2019 about this security flaw. However, Facebook didn’t do anything about it.
The Twitter user in question reported the problem to Facebook with the intention of receiving a cash bounty. In this tweet, the hacker posts a message from Facebook declining to give a bounty because the ability for anyone to find invite codes online for private WhatsApp chat groups is “an intentional product decision.” Facebook then says that it cannot control what Google and other search engines index, so its hands are tied.
As far as we can tell, both Facebook and Google are still not talking publicly about this problem, but this Facebook message makes it seem as though Facebook doesn’t think there’s anything wrong with your private WhatsApp chat groups being easily accessible by anyone.
Original article, February 21, 2020 (10:25 AM ET): According to a new report from Vice, private WhatsApp group invites might not actually be so private. Through some pretty basic Google searching, it’s relatively easy to gain access to private chat groups.
Normally, private WhatsApp group chats are only accessible via an invite code that gets handed out by the moderators of the chat. These invite codes, though, are simply URLs with specific strings of text. It appears that Google is indexing at least some of these invites which enables pretty much anyone with Google access to find them.
Now, before you get out the pitchforks and start storming Google’s gate, from the outset this appears to be a WhatsApp problem (or, more specifically, a Facebook problem, as it owns WhatsApp). Google uses crawlers to index URLs across the internet and it is very easy for websites and apps to place a line of code on pages that tells these Google crawlers not to index the information there. The likely reason behind this problem is WhatsApp failing to do this.
Vice reached out to both Google and Facebook about this matter but didn’t receive a response.
If you want to comb through Google Search to find out if your private WhatsApp group is indexed, just start with a “chat.whatsapp.com” string and then enter in some information specific to your chat. Vice did this and was able to find several chat groups related to sharing porn as well as a chat that describes itself as being for NGOs accredited by the United Nations. These chat groups listed out members’ names as well as contact information, in some cases phone numbers.
This story will no doubt make the rounds today and WhatsApp and Facebook will need to respond soon. There’s about to be a lot of angry users.