The way it works is related to the "invite to group via link" feature, which is incredibly useful for groups with loads of members, so that you don't have to go through the rigmaroll of adding each individual person as a contact to let them join the group.
But as a result, as soon as the link is posted somewhere these groups are indexed on Google, meaning that the links allowing you to join are completely searchable. You can click on the Google result and just select "join group". It's that simple.
You won't be able to see what people have been talking about so far, but in busy groups with lots of members and incessant chatter, we all know that a "Joe Bloggs joined this group" message could easily be missed.
One user appears to have spotted this issue, and wrote to Facebook (which owns WhatsApp) to report it. Facebook's alleged response was to say that group admins can invalidate the link. However this option doesn't appear to be easily accessible.
What does this mean?
When you join a group you won't be able to see any messages sent prior to you joining, but members' phone numbers are readily available, as are their pictures which can easily be cross-referenced by reverse image searching. Events are also public, as are any subsequent messages.
This may not be a huge deal for those of us in the odd family WhatsApp group, but could have huge repercussions for larger political groups which use the service to organise. It would also mean that groups exchanging illegal porn, far-right or extremist groups and groups used to sell illegal drugs could be easily infiltrated.
WhatsApp heavily markets its end-to-end encryption which supposedly keeps your messages entirely secure.
Many people rely on this and use it to exchange sensitive information.
According to Jane Manchun Wong, whose Twitter bio says she "reverse-engineers apps for hidden features and security vulnerabilities", states that almost half a million WhatsApp groups are affected.
A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines
It should’ve been… https://t.co/BHtnVle3nO
— Jane Manchun Wong (@Jane Manchun Wong)
A spokesperson for Facebook Inc told indy100: "Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website."
They also said that when a group link is generated, it would clearly warn users of the potential privacy issues, however we tested this out on an existing WhatsApp group and received no such warning.
We went back to Facebook to enquire about this discrepancy, and they confirmed the original information we were given was incorrect, and added: "When someone joins a group via a group invite link, everyone in that group receives a notification."
But people often dip in and out of groups, silence notifications or simply assume that anyone who has joined will have been invited by someone else, so this doesn't seem like an efficient way to ensure the groups stay secure.
How does it work?
You literally type "site:chat.whatsapp.com" plus a word and up they pop:
You can then join the chat and just quietly watch from afar.
This search reportedly brings up any group where the admin has shared the link anywhere on the internet, although it would seem that even those which haven't could be vulnerable.
On top of that, even if you haven't shared the link, it's possible, but difficult, to run a kind of brute-force met… https://t.co/j3Kj0uhshL