WhatsApp has an ‘Invite to Group via Link’ feature that lets an admin invite other people to join a group chat by sending over an invite link. But it appears that Google is indexing those invite links, leaving private group chats exposed to anyone who stumbles upon the invite links with a random keyword search.
App reverse-engineer, Jane Manchun Wong, tweeted that Google has indexed around 470,000 WhatsApp group invite links. A simple keyword search by using the “chat.whatsapp.com” URL extension will reportedly let random people discover a WhatsApp group chat without ever being invited to join it.
We were able to independently verify that this frightening vulnerability is very real, and it let us join a random WhatsApp group by using an indexed link with relative ease. Regarding the grave privacy issue, here’s what a WhatsApp spokesperson was quoted as saying:
Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.
It appears that the only way to keep group chats private is by invalidating the older invite link. Group admins should generate a new invite link to their WhatsApp group, because doing so will automatically invalidate the older one that has been indexed by Google. But as per multimedia journalist Jordan Wildon, there is no way to fully disable a group invite link that is now in public domain.