Ishita Bora: WhatsApp groups are now appearing on Google search along with user profiles and their profile images through search results.
According to the report, WhatsApp has allowed the indexing of group chat invites, which is displaying private groups on search results. With clear access to the links to join a chat, this puts people in the groups vulnerable as anyone can join and see who is on the texting platform.
Basically, anyone could look for a particular WhatsApp group by simply searching for it on Google.
In 2019, WhatsApp experienced something similar but was reportedly fixed last year before the issue grew, where Jane Manchun Wong, the reverse engineer, said that this issue was fixed by adding the ‘noindex’ meta tag on chat invite links and this was followed on future generated group links too. However, the issue now seems entirely different.
Rajaharia, the cybersecurity researcher, has revealed that the messenger hadn’t included a robots.txt file (a file to regulate search engine crawlers) particularly for its web interface — chat.whatsapp.com.
As per the sources, this robots.txt file is also missing for the api.whatsapp.com subdomain, which is just like group chat invites indexing, making user profiles accessible on Google, with the search engine indexing over 5,000 profile links, allowing anyone to communicate with a user or gain access to their cell number or profile image.
A WhatsApp spokesperson said:
“Since March 2020, WhatsApp has included the “noindex” tag on all deep link pages which, according to Google, will exclude them from indexing. We have given our feedback to Google to not index these chats. As a reminder, whenever someone joins a group, everyone in that group receives a notice and the admin can revoke or change the group invite link at any time.”
The spokesperson added:
“Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”