Image: SOPA Images / Contributor via Getty Images
Google indexes invitation links to WhatsApp group chats that administrators may wish to be private. This means that with a simple search, random people can discover and join a wide range of WhatsApp group chats.
“Your WhatsApp groups may not be as secure as you think,” Jordan Wildon, media reporter for German newspaper Deutsche Welle, tweeted friday. By using particular Google searches, people can discover links to chats, Wildon explained.
Reverse-engineering applications Jane Wong added in a tweet that Google has about 470,000 results for a simple search for “chat.whatsapp.com”, part of the URL that makes up WhatsApp group invitations.
Motherboard used a number of specific Google searches to find invitation links to WhatsApp groups. Some of the groups seem not to be too sensitive or for a particular audience. Lots of links on Google lead to porn sharing groups.
But others seem to be aimed at specific groups. Motherboard participated in a WhatsApp group chat which describes itself as being aimed at UN accredited NGOs. After joining, Motherboard was able to see a list of the 48 participants and their phone numbers.
Danny Sullivan, Google Public Search Liaison, tweeted “Search engines like Google and others list pages on the open web. That’s what’s happening here. It’s no different than any case where a site allows the public list of URLs. provide tools that allow sites to block content listed in our results. “
A spokesperson for WhatsApp said in a statement, “Group admins in WhatsApp groups can invite any WhatsApp user to join that group by sharing a link they’ve generated. published publicly on the Internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.
Do you work at WhatsApp? Did you find a sensitive WhatsApp group? We would love to hear from you. Using a non-business phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or by email to [email protected]
Update: This article has been updated to include a comment from WhatsApp and a tweet from Sullivan.
Subscribe to our cybersecurity podcast, CYBER.