Deutsche Welle multimedia journalist Jordan Wildon said in a series of tweets that he accidentally opened content-discovery and social analytics tool CrowdTangle via a WhatsApp web tab and discovered that Google was indexing group invites shared on the messaging application via links.
WhatsApp and CrowdTangle are both owned by Facebook.
Wildon wrote, “On top of that, even if you haven’t shared the link, it’s possible, but difficult, to run a kind of brute-force method to get access to a URL that corresponds to an active group chat.”
WhatsApp said a group link can only be found online if the invite link was posted on the open internet, on a publicly accessible website, which only applies to a small minority of groups, and it shared a screenshot of its invite link process.
A WhatsApp spokesperson added in an email, “Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”
Twitter user @hackrzvijay (no further information on his identity was available via his profile) replied that he reported the issue to Facebook in early November, and shared the response he received from Facebook security.
It read, in part, “The links being accessible by anyone was an intentional product decision. Group administrators can invalidate the link if so desired. The surprise here was that they’re indexed by Google. However, we cannot completely control what all search engines—Google and others—index.”
Wildon confirmed that he was able to generate new links in the WhatsApp app that invalidated the old links, but he was not able to disable those links altogether.