On Friday, Jordan Wildon – a journalist for the German media outlet Deutsche Welle – warned the world that their WhatsApp groups “may not be as secure as you think they are.”
A simple Google search could lead people to invite codes that would let them find and join private WhatsApp group chats, given that the pages were indexed by Google…
Your WhatsApp groups may not be as secure as you think they are.— Jordan Wildon (@JordanWildon) February 21, 2020
The "Invite to Group via Link" feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q
…and somebody who filed a bug report about it revealed that both WhatsApp parent company Facebook and Google have known about this for months.
Wildon said that any group link shared outside of secure, private messaging could be found relatively easily and joined. This is past tense, at least for Google search: as of Saturday, WhatsApp tweaked the glitch out of existence, though the search was still working on other, major search engines as of today. Worse still, the links could have been found through Google search even if they hadn’t been shared, he said:
[…] it’s possible, but difficult, to run a kind of brute-force method to get access to a URL that corresponds to an active group chat.
Stop me if you’ve heard this one before: it’s a feature, not a bug. That’s what Facebook told Twitter user @hackrzvijay when the platform turned down their bug report in September 2019:
This was an “intentional product decision,” Facebook said. It’s not our fault that group admins haven’t invalidated the links that people can find with a simple search. Heck, we’re surprised that Google’s even indexing them.
Well, Facebook shouldn’t be surprised. The invite codes are just URLs with specific strings of text that Google uses to index pages across the internet. Here’s a response from Google’s Danny Sullivan, its public search liaison:
Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results: https://t.co/D1YIt228E3— Danny Sullivan (@dannysullivan) February 21, 2020
Regardless of what Facebook says, its hands likely aren’t tied in this matter. It’s simple enough for WhatsApp to plunk a line of code that tells search crawlers not to index the information on private group pages. Later on Friday, one hacker who reverse-engineers apps – Jane Manchun Wong – confirmed that it was WhatsApp’s fault. It wasn’t inevitable that those group pages got indexed, Wong said. All it would have taken to keep them from being indexed was the insertion of a simple text string:
A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines— Jane Manchun Wong (@wongmjane) February 21, 2020
It should’ve been `Disallow`ed with robots.txt or with the `noindex` meta tag
thanks @JordanWildon for the tip https://t.co/CJxjJ5qyfh pic.twitter.com/FrW1I9Y8vs
… which apparently also occurred to somebody at WhatsApp – eventually, after the media storm had been raging for a while. By Saturday, the app had picked up a
noindex code on the chat invitation URLs and the listings had been removed from Google:
Looks like WhatsApp has fixed it by removing the existing listing from Google and adding the `noindex` meta tag on the chat invitation links! 😀 pic.twitter.com/kict2bsENu— Jane Manchun Wong (@wongmjane) February 22, 2020
… thus, fittingly enough, rendering the private chats unfindable and, hence, more private… at least on Google, that is. As of this morning, you could still find the strings when using other major search engines, as Forbes reported and which I confirmed by searching on one of the strings using DuckDuckGo.
As of this morning, WhatsApp hadn’t gotten back to any news outlets with a mea culpa, at least not that I could find. Facebook didn’t reply to my request for a comment. But WhatsApp did take the time to blame the privacy breach on users.
The Facebook subsidiary told Vice’s Motherboard that the problem was users’ fault for posting invite codes on public sites:
Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.
Vice’s Joseph Cox had also found that many of the publicly available URLs for private chats led to groups for sharing porn. But others appear to be for groups that share other sensitive material: one URL that Vice checked out was leading to a group chat that describes itself as being for NGOs accredited by the United Nations.
Vice joined and was able to view a list of all 48 participants and their phone numbers.
Just the latest
WhatsApp may well be encrypted end-to-end, but it’s certainly had its share of security pratfalls. Earlier this month, for example, PerimeterX researcher Gal Weizman uncovered a clutch of vulnerabilities that led him to a cross-site scripting (XSS) flaw affecting WhatsApp desktop for Windows and macOS when paired with WhatsApp for iPhone – a flaw that gave attackers access to local files.
Last May, a severe WhatsApp zero-day was being exploited by a nation state group to attempt to install spyware on targets simply by phoning them. In 2018, Google researchers revealed a flaw that could have compromised a device, again via a simple call.
Facebook is now in the process of stitching together the technical infrastructure of all its messaging products – Instagram, Facebook Messenger and WhatsApp – so that users of each app can talk to each other more easily.
Whatever happened behind the scenes with this glitch getting semi-fixed, WhatsApp and Facebook don’t seem to want to reach out to all the major search engines to get group chat links de-indexed. Or, at least, if they’re in the process of doing that, it’s certainly not something that’s being owned up to publicly.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast.