WhatsApp links that lead to closed groups can be found with a simple Google search — a major security flaw revealed by DW last week. Following social media outrage, the links were removed from Google’s search results.
Despite the removal, however, publicly-available internet archives are still storing the information, as security researcher Lav Kumar has found out. He gathered and organised over 60,000 unique links, which can still be found on multiple websites.
Of the 1,000 randomly selected links DW tested, 427 were active chat links. Even without actively joining a group, its title, description, image and creator’s phone number are available for all. However, upon entering a group, it is possible to also see the phone numbers of up to 256 participants, as well as other information, and adding these numbers to one’s contacts can reveal their names in the app.
“We show all numbers in groups for people’s safety that way they know who will receive their messages,” WhatsApp told DW in response.
Using this information, DW gained access to a group described as “Ministry of finance civil servants” in Indonesia, revealing the phone numbers of all 14 members. Several other groups appeared to be official support groups for the campaign of Brazilian President Jair Bolsonaro.
Among the 427 active links DW examined, there were groups described to be for school classes, medical trainees, political campaigns, businesses, pornography and sex workers. Some groups included members with particularly sensitive identities, such as one chat with hundreds of members clearly labeled as an LGBTQ+ group in a Latin American country with high rates of homophobic murders.
In some cases, the group image looked like amateur pornography or had titles such as “ex-wives leaked videos,” raising questions of consent.
Also listed were potential terrorist groups and groups advertised as for sharing footage of “extreme” sexual content, including rape. A small number indicated that they were for child pornography.
WhatsApp told DW that the company has a zero-tolerance policy around child sexual abuse and bans users immediately if they are found sharing content that exploits or endangers children.
The platform also claims to ban approximately 250,000 accounts each month suspected of sharing exploitative images of children and relies on user reports and all unencrypted information to do so.
‘Useful for terrorism chats’
In response to the revelations, some Twitter users pointed out that this information could be used by authorities to track down illegal content without WhatsApp offering an official “backdoor” to encrypted content.
“Of course there is a possibility that they left it open to search for problem groups,” Jake Moore, a cybersecurity specialist and former Head of Digital Forensics at a British police force, told DW, “they aren’t always too keen to help law enforcement, so might have found it beneficial to offer it out to law enforcement and not openly mention it.”
On whether law enforcement would use this proactively to identify crime, Moore said: “Most police forces aren’t that proactive, [but] rather reactive. However, I would imagine it would be useful for terrorism chats, yet I doubt they use WhatsApp.”
However, investigations into far-right terrorism in Germany show that organizations have used Whatsapp to introduce members to each other.
Not a priority
Reports of the flaw go as far back as 2016 when Mexican computer scientist Aurelio Cuautle found phone numbers listed in Google search results and informed WhatsApp. In emails to the company, he detailed how this information was found. After initial replies, Cuautle said he stopped receiving responses. However, the phone numbers were later removed.
A Hyderabad-based security researcher, known as HackrzVijay on Twitter, says he reported the issue to Facebook in November 2019. In the emails, Facebook admitted that “the links being accessible by anyone was an intentional product decision,” adding that “the surprise here was that they’re indexed by Google.” In another email seen by DW from February 26, Facebook reiterated this stance.
In December 2019, the issue was reported again by an 18-year-old hacker. Facebook responded by saying that it would consider “further mitigation,” adding that it cannot control what search engines index. In the response seen by DW, Facebook said that this was not considered a “high priority.”
When pressed by DW as to why WhatsApp removed the listings despite saying this was intentional, Facebook said that they “don’t have anything further to share on that question.”
‘Leaky and bad’
Though not technically a data breach, Jane Manchun Wong, an app reverse-engineer, called the security flaw “leaky and bad, because people expected the invite links to be private [to] a certain extent.”
Search engines like Google index pages listed on public sites, Google’s liaison of Search, Danny Sullivan, explained to DW. But Google also “offers tools allowing sites to block content being listed in search results,” he added, meaning that WhatsApp could have made sure group links are invisible to the public — but chose not to.
It is also possible that websites that seem secure can have information indexed. In 2018, The Intercept discovered that governments of the UK and Canada added private data to Trello, a project management website. Subsequently, this information was indexed by Google.
In a statement, WhatsApp said that “group admins are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”
A spokesperson for WhatsApp also highlighted that the app “clearly communicates a warning to people who share a group invite link,” and “group admins can revoke links at any time.” However, revoking a link only generates a new link, and does not turn links off altogether.
“It’s great to see WhatsApp taking steps to fix the oversight,” Wong said, “but it’s only the first step,” she warned, noting that information is still available on other search engines. It is also possible, though highly unlikely, that users could be able to enter any group by guessing the 22-character identifier in the URL.
The piece of code preventing search engines from indexing links is “more like a social contract,” Wong explains. However, and despite potential criticism, some tools can choose to ignore that, casting doubts on the credibility of such a social contract.