Friday, 21 February 2020

PSA: Don’t Post Links to Private WhatsApp Groups

Although WhatsApp is well-known for its security and end-to-end encryption, posting links to WhatsApp groups can open the entire group to the internet.

Jordan Wildon, a journalist with DW News, first noticed that Google was indexing WhatsApp invitation links.

Your WhatsApp groups may not be as secure as you think they are.

The “Invite to Group via Link” feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups.

— Jordan Wildon (@JordanWildon) February 21, 2020

Following his tweet, Jane Manchun Wong—who specializes in reverse engineering apps to uncover security flaws—confirmed the issue.

A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines

It should’ve been Disallowed with robots.txt or with the noindexmeta tag

thanks @JordanWildon for the tip

— Jane Manchun Wong (@wongmjane) February 21, 2020

 

Motherboard did further testing and was able to join a variety of groups, including one that claimed to be “NGOs accredited by the United Nations.” Motherboard was able to see all of the group participants and their phone numbers.

Google has said there is nothing wrong with what’s occurring, and this is a simple case of their search engine indexing publicly available information, just as it would any other source.

In a statement to Motherboard, WhatsApp confirmed that stance: “Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”

The takeaway here is that if users want to keep their WhatsApp groups private, they shouldn’t share access via public links. Doing so essentially serves as an open invitation, only requiring someone to put forth the time and effort to find such groups.

The post PSA: Don’t Post Links to Private WhatsApp Groups appeared first on WebProNews.



from WebProNews https://ift.tt/32ohBaQ

No comments:

Post a Comment