WhatsApp, Telegram Team Invite User Searches Leaked Links

App Development

Invite links for WhatsApp and Telegram groups that may not be open to the public through simple searches on popular web search engines.

Both companies have taken certain steps to protect user privacy, but more effort is needed to make connections completely undiscoverable by means of public searches, so that anyone can find them and join the group.

Jordan Wildon, a Deutsche Welle multimedia journalist, warned Friday that the lapses allowed some unexpected and even illegal groups to be discovered.

Wilson tweeted that he found links to illegal, far-right andanti-government groups.

Jane Wong, the reverse mobile app, said her Google search revealed about 470,000 results, allowing anyone to join groups and have access to the telephone number of the members.

The privacy of these links is the responsibility of the administrators who generate them in all fairness. By sharing them on the web, the internet indexed by conventional search engines, they can be indexed by public search services.

Google’s public search link Danny Sullivan has clarified that the behavior is normal, just as when “a site lets URLs be listed publicly.” Other users have found the same situation using special search parameters. It is not clear whether the administrators consider the invite ties intentionally or erroneously. Nonetheless, some very negative findings are not hard to find.

The same issue was identified to Facebook privately in November 2019 through the bug bounty system when groups were found in public searches.

The company replied that the behaviour, however, expressed surprise at Google indexing it, for some reason.

Over the weekend, Wong figured out that WhatsApp took the first step to keep the invite connections private by deleting the Google page.

The’ noindex’ meta tag was also appended, preventing web crew members from indexing the web page with the link, and thus preventing it from searching results. Telegram didn’t take action yet, it would appear.

The update is only available when Google is used. Many search engines (e.g. Bing, Yandex, Yahoo) still have a public list of links.

Group and channel administrators should be aware that a public page invite link is automatically indexed by search engines and presented in search results. If the connection is supposed to be private, the administrators will explicitly provide it to the members.

Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards & w-se. Previously, he worked as a security news reporter.