On Friday, Jordan Wildon – a journalist for the German media outlet Deutsche Welle – warned the world that their WhatsApp groups “may not be as secure as you think they are.”
A simple Google search could lead people to invite codes that would let them find and join private WhatsApp group chats, given that the pages were indexed by Google… and somebody who filed a bug report about it revealed that both WhatsApp parent company Facebook and Google have known about this for months.
Wildon said that any group link shared outside of secure, private messaging could be found relatively easily and joined. This is past tense, at least for Google search: as of Saturday, WhatsApp tweaked the glitch out of existence, though the search was still working on other, major search engines as of today. Worse still, the links could have been found through Google search even if they hadn’t been shared.
This was an “intentional product decision,” Facebook said. It’s not our fault that group admins haven’t invalidated the links that people can find with a simple search. Heck, we’re surprised that Google’s even indexing them.
Well, Facebook shouldn’t be surprised. The invite codes are just URLs with specific strings of text that Google uses to index pages across the internet.
Regardless of what Facebook says, its hands likely aren’t tied in this matter. It’s simple enough for WhatsApp to plunk a line of code that tells search crawlers not to index the information on private group pages. Later on Friday, one hacker who reverse-engineers apps – Jane Manchun Wong – confirmed that it was WhatsApp’s fault. It wasn’t inevitable that those group pages got indexed, Wong said. All it would have taken to keep them from being indexed was the insertion of a simple text string:
A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines It should’ve been… twitter.com/i/web/status/1…
—
Jane Manchun Wong (@wongmjane) February 21, 2020
… which apparently also occurred to somebody at WhatsApp – eventually, after the media storm had been raging for a while. By Saturday, the app had picked up a noindex code on the chat invitation URLs and the listings had been removed from Google:
Looks like WhatsApp has fixed it by removing the existing listing from Google and adding the `noindex` meta tag on… twitter.com/i/web/status/1…
—
Jane Manchun Wong (@wongmjane) February 22, 2020
… thus, fittingly enough, rendering the private chats unfindable and, hence, more private… at least on Google, that is. You could still find the strings when using other major search engines, as Forbes reported.
As of this morning, WhatsApp hadn’t gotten back to any news outlets with a mea culpa, at least not that I could find. Facebook didn’t reply to my request for a comment. But WhatsApp did take the time to blame the privacy breach on users.
The Facebook subsidiary told Vice’s Motherboard that the problem was users’ fault for posting invite codes on public sites:
Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.
Vice’s Joseph Cox had also found that many of the publicly available URLs for private chats led to groups for sharing porn. But others appear to be for groups that share other sensitive material: one URL that Vice checked out was leading to a group chat that describes itself as being for NGOs accredited by the United Nations.
Vice joined and was able to view a list of all 48 participants and their phone numbers.
Just the latest
WhatsApp may well be encrypted end-to-end, but it’s certainly had its share of security pratfalls. Earlier this month, for example, PerimeterX researcher Gal Weizman uncovered a clutch of vulnerabilities that led him to a cross-site scripting (XSS) flaw affecting WhatsApp desktop for Windows and macOS when paired with WhatsApp for iPhone – a flaw that gave attackers access to local files.
Other recent incidents have included an MP4 flaw that could have led to remote code execution (RCE), and another involving malicious GIFs that did the same thing on Android.
Last May, a severe WhatsApp zero-day was being exploited by a nation state group to attempt to install spyware on targets simply by phoning them. In 2018, Google researchers revealed a flaw that could have compromised a device, again via a simple call.
Facebook is now in the process of stitching together the technical infrastructure of all its messaging products – Instagram, Facebook Messenger and WhatsApp – so that users of each app can talk to each other more easily.
Whatever happened behind the scenes with this glitch getting semi-fixed, WhatsApp and Facebook don’t seem to want to reach out to all the major search engines to get group chat links de-indexed. Or, at least, if they’re in the process of doing that, it’s certainly not something that’s being owned up to publicly.
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.
