(Numerama Survey) Google, Bing and other search engines index WhatsApp encryption public invitation links, which allow anyone to join many conversations and gain access to thousands of phone numbers . Numerama has been able to find the identity of several public figures.
Update of February 24: Following the publication of our article, we found that Google no longer indexed, since February 22, 2020, the public links of group WhatsApp conversations. Qwant and Bing continue to do so, however, making the discovery and identification of French telephone numbers still very much feasible.
Original article from February 21, 2020:
Hundreds of French mobile phone numbers are scrolling, one after the other.
The feminist activist Caroline de Haas, the national secretary of the Europe ecology party Les Verts Julien Bayou, a parliamentary assistant of Europe cologie-Les Verts in the European Parliament, a member of the LREM campaign for the tenth arrondissement of Paris We have, in a few minutes, was able to find their identity and phone number without any hacking.
These numbers are accessible by a simple search on a search engine (Google, Qwant, Bing) and they are not the only ones. Search engines have been indexing public WhatsApp conversations for at least several months, without users of numeric messaging necessarily being aware of them.
Why are these numbers so easily accessible?
This Friday, February 21, 2020, the American site Vice published a first article exposing this strange operation, after a report by a German journalist from Deutsche Welle on Twitter. In a few Google searches, journalists were able to access sensitive WhatsApp group conversations, and therefore get hundreds of free-to-air phone numbers. Numerama therefore took the test, which turned out to be conclusive.
We did Google searches with the URL corresponding to WhatsApp Chat, preceded by different keywords. We managed to join several group conversations in just a few clicks. If these are not all active and we do not have access to the messages that precede our arrival in the group the area of the telephone numbers of the people on it is publicly available. These data, already sensitive in themselves, can therefore be easily recovered.
But the problem is even more important, because it is possible to easily identify certain members according to their profile picture. At least a hundred people present in a conversation concerning the party Europe cologie-Les Verts en le-de-France, for example, have configured their profile photo on WhatsApp. So just click on their profile, save the photo and perform a reverse image search on Google to obtain a convincing result on their name and surname if the same photo has been used on other websites (a Twitter account, a Linkedin profile).
It is in this way that we were able to associate in a few minutes the name of a parliamentary assistant of EELV to the European Parliament with his telephone number, which is however not public. Same thing for this member of the LREM campaign team at the municipal level for the tenth arrondissement of Paris. Likewise, the telephone number of feminist activist Caroline de Haas is accessible in a WhatsApp conversation, the link of which was made public.
But this approach could very well be used for anonymous people. In addition to the results of searches related to political parties, many public-linked WhatsApp conversations, indexed by Google, contain sensitive information or relate to images of a pornographic nature. The profile photos and telephone number of the people (known or anonymous personalities) who are part of it, are all accessible.
Facebook has known since November 2019
According to expert Jane Wong, it could be a bad configuration of WhatsApp, which allowed approximately 470,000 group invitations (the number of results obtained with a search) to be indexed by Google when they should not have been.
These links are generated when, in a group conversation, an administrator clicks on the option Invite join the group via link. A window then opens, which generates this link, followed by the mention Anyone with WhatsApp can use this link to join this group. Only share it with people you trust. This link therefore becomes technically public but it is unlikely that users will realize that they are, at the same time, indexable and indexed by search engines.
It is also via this window that any administrator can stop the public sharing of this link in particular by clicking on Reset link, which generates another link. By resetting this link, no one can use it to join this group, warns WhatsApp. It is not certain that Google or Bing will not re-index this new link, but the measure can serve, at a minimum, as an act of prevention.
The indexation of these public links is all the more surprising since it seems that Facebook, the owner of WhatsApp encrypted messaging, has been aware of it for at least November 2019. Vijju, an Indian cybersecurity researcher with whom Numerama may have changed, published a response from Facebook dated November 12, in which a member of the multinational team told him that this was not a fault strictly speaking, because these are public links, because accessible to all and that it is a intentional decision of WhatsApp. However, it recognizes a surprising fact: the fact that Google indexes these links. Unfortunately, we cannot control everything that search engines like Google and others do, choose to index. It is for this reason that we will not give you a bonus when it comes to indexing by search engines.
We tested the same type of research on Qwant, the French engine: we did not find the same links to the same WhatsApp groups, but there were many links: we were able to access many group conversations, as well than their members' phone numbers. When searching on Bing, there are also more than 697,000 results that lead to public WhatsApp conversation links.
Google has taken cognizance of our questions concerning this indexing, we will update this article in the event of official communication on the subject.
We also recently contacted the CNIL and Facebook on the subject; our email from Friday evening, this article will also be updated if returned in the coming days.
Share on social networks