CYBERSECURITY: WhatsApp links generated to invite other users to a conversation have been indexed by search engines, thus becoming visible to all.
Private conversations on WhatsApp may not really be… Several media outlets in recent days have exposed a huge scandal linked to the privacy of hundreds of thousands of email users belonging to Facebook. Search engines, including Google or Bing, would reference the information of certain conversations exchanged on encrypted messaging.
To share access to a WhatsApp newsgroup, users can generate a link to send to people they want to join this group. And it is this famous link that would end up indexed on search engines without users being aware, details the American site Vice.
JUST IN: Google appears to have removed indexing of WhatsApp links.
Other major search engines appear to still be indexing chat links. pic.twitter.com/D07MQBQsEY
— Jordan Wildon (@JordanWildon) February 22, 2020
Thousands of accessible phone numbers
A simple search on the address “chat.whatsapp.com” provides information on a particular discussion. This single-site returns to nearly half a million results, or as many private conversations indexed by Google, notes the site Vice. Hundreds of thousands of conversations, and thousands of telephone numbers, including those of public figures, are thus accessible in a few clicks on the Web.
By adding certain keywords, the Numerama site was able to join a private conversation concerning the Europe Ecology-The Greens party in Ile-de-France and thus access the telephone numbers of several political figures.
On a trouvé en quelques clics les numéros de portable de personnalités publiques françaises, via une simple recherche Google. Voici comment c’est possible 👇 https://t.co/q5q9w2YTr7 pic.twitter.com/3fD2Yuy0Bu
— Marie Turcan (@TurcanMarie) February 21, 2020
Whose fault is it?
It is not the search engines that are responsible for this error, but WhatsApp. The messaging service should have told the platforms not to index certain URLs. “Search engines like Google list web pages. This is what happens in the case mentioned. These pages are treated like any site with a public URL, “explained on Twitter Danny Sullivan, in charge of communications for Google , adding that the platform” offered tools to sites wishing to block the referencing of their content “.
470,000 private conversation invitation links were still available on Google on Friday. But it would seem that the platform has since deindexed a certain number of links. This is not the case with other search engines: Bing still listed 697,000 results on Saturday afternoon, the same for Yahoo.
Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results: https://t.co/D1YIt228E3
— Danny Sullivan (@dannysullivan) February 21, 2020
“Not really a flaw”
Asked about this bug by an Indian cybersecurity researcher in November 2019, Facebook replied that it was not really a “flaw”. “The fact that the links are accessible to all is an intentional decision” of the group. “Unfortunately, we cannot control everything that search engines, like Google and others, choose to index,” explains the company.
I reported to facebook security in early november 2019 but they said intended behavior…. pic.twitter.com/V7HzjZZzCI
— HackrzVijay 💻 (@hackrzvijay) February 21, 2020
Solicited by Vice, WhatsApp again warned Internet users: “Links that users want to share privately with people they know and trust must not be published on a website accessible to the public. ”
